Trying to add a custom attribute to the inetOrgPerson schema via helm chart

[timothytierney]

I'm trying to add a custom attribute to the inetOrgPerson schema startup of the k8s pods. I've tried adding to the values.yaml without any success.

I want to use the default containers from openLDAP-stack-ha. I do not want to have to change the image. Is there a way to override the existing inetorgperson.schema or add to this schema? I cannot find any documentation on the correct way to do this.

Since this is a "structuralObjectClass" it appears I cannot use the customSchemaFiles.

customSchemaFiles:
custom.ldif: |-
attributetype ( 2.16.840.1.113730.3.1.5
NAME 'test-123-tt'
DESC 'testing 123 tt'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

objectclass ( 2.16.840.1.113730.3.2.2
    NAME 'inetOrgPerson'
    DESC 'RFC2798: Internet Organizational Person'
    SUP organizationalPerson
    STRUCTURAL
      MAY (
            audio $ businessCategory $ carLicense $ departmentNumber $
            displayName $ employeeNumber $ employeeType $ givenName $
            homePhone $ homePostalAddress $ initials $ jpegPhoto $
            labeledURI $ mail $ manager $ mobile $ o $ pager $
            photo $ roomNumber $ secretary $ uid $ userCertificate $
            x500uniqueIdentifier $ preferredLanguage $
            userSMIMECertificate $ userPKCS12 $test-123-tt)
        )

Essentially I want to add 1 custom attribute into the inetorgperson schema on the creation of the k8s pods. Env variables and all that stuff I've read, but detailed steps to implement this would be great. I can't be the only person that wants to do this :)

Any help would be greatly appreciated.

[jp-gouin]

Is it possible to do it post deployment ?
If so can you please send me the command and file you used so I can see how to improve the chart

Thanks

[timothytierney]

helm upgrade -n csdm -i csdm-ldap helm-openldap/openldap-stack-ha --version 4.3.1 --values ./deploy/services/config/values-ldap.yaml

below is all that is in the values.yaml file. There are 3 attempts/scenarios

comments swapped # with / for formatting purposes

When I try to add a new ldap user once this schema is in place, I get the following error:
"Failed, {'msgtype': 105, 'msgid': 2, 'result': 21, 'desc': 'Invalid syntax', 'ctrls': [], 'info': 'objectClass: value #0 invalid per syntax'}"

attempt #1
this is the inetorgperson.schema we are using on our test vm

/ inetorgperson.schema -- InetOrgPerson (RFC2798)
/ $OpenLDAP$
// This work is part of OpenLDAP Software http://www.openldap.org/.
//
// Copyright 1998-2024 The OpenLDAP Foundation.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted only as authorized by the OpenLDAP
// Public License.
//
// A copy of this license is available in the file LICENSE in the
// top-level directory of the distribution or, alternatively, at
// http://www.OpenLDAP.org/license.html.
/
/ InetOrgPerson (RFC2798)
/
/ Depends upon
/ Definition of an X.500 Attribute Type and an Object Class to Hold
/ Uniform Resource Identifiers (URIs) [RFC2079]
/ (core.schema)
/
/ A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
/ (core.schema)
/
/ The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)

/ carLicense
/ This multivalued field is used to record the values of the license or
/ registration plate associated with an individual.
attributetype ( 2.16.840.1.113730.3.1.1
NAME 'carLicense'
DESC 'RFC2798: vehicle license or registration plate'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

/ departmentNumber
/ Code for department to which a person belongs. This can also be
/ strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).
attributetype ( 2.16.840.1.113730.3.1.2
NAME 'departmentNumber'
DESC 'RFC2798: identifies a department within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

/ displayName
/ When displaying an entry, especially within a one-line summary list, it
/ is useful to be able to identify a name to be used. Since other attri-
/ bute types such as 'cn' are multivalued, an additional attribute type is
/ needed. Display name is defined for this purpose.
attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

/ employeeNumber
/ Numeric or alphanumeric identifier assigned to a person, typically based
/ on order of hire or association with an organization. Single valued.
attributetype ( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'RFC2798: numerically identifies an employee within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

/ employeeType
/ Used to identify the employer to employee relationship. Typical values
/ used will be "Contractor", "Employee", "Intern", "Temp", "External", and
/ "Unknown" but any value may be used.
attributetype ( 2.16.840.1.113730.3.1.4
NAME 'employeeType'
DESC 'RFC2798: type of employment for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

/ jpegPhoto
/ Used to store one or more images of a person using the JPEG File
/ Interchange Format [JFIF].
/ Note that the jpegPhoto attribute type was defined for use in the
/ Internet X.500 pilots but no referencable definition for it could be
/ located.
attributetype ( 0.9.2342.19200300.100.1.60
NAME 'jpegPhoto'
DESC 'RFC2798: a JPEG image'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

/ preferredLanguage
/ Used to indicate an individual's preferred written or spoken
/ language. This is useful for international correspondence or human-
/ computer interaction. Values for this attribute type MUST conform to
/ the definition of the Accept-Language header field defined in
/ [RFC2068] with one exception: the sequence "Accept-Language" ":"
/ should be omitted. This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
NAME 'preferredLanguage'
DESC 'RFC2798: preferred written or spoken language for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

/ userSMIMECertificate
/ A PKCS/7 [RFC2315] SignedData, where the content that is signed is
/ ignored by consumers of userSMIMECertificate values. It is
/ recommended that values have a contentType' of data with an absent / content' field. Values of this attribute contain a person's entire
/ certificate chain and an smimeCapabilities field [RFC2633] that at a
/ minimum describes their SMIME algorithm capabilities. Values for
/ this attribute are to be stored and requested in binary form, as
/ 'userSMIMECertificate;binary'. If available, this attribute is
/ preferred over the userCertificate attribute for S/MIME applications.
// OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
NAME 'userSMIMECertificate'
DESC 'RFC2798: PKCS/7 SignedData used to support S/MIME'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

/ userPKCS12
/ PKCS /12 [PKCS12] provides a format for exchange of personal identity
/ information. When such information is stored in a directory service,
/ the userPKCS12 attribute should be used. This attribute is to be stored
/ and requested in binary form, as 'userPKCS12;binary'. The attribute
/ values are PFX PDUs stored as binary data.
// OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
NAME 'userPKCS12'
DESC 'RFC2798: personal identity information, a PKCS /12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

/for TMT
attributetype ( 2.16.840.1.113730.3.1.5
NAME 'Custom-Attr-CA'
DESC 'Custom Attr CA'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

/ inetOrgPerson
/ The inetOrgPerson represents people who are associated with an
/ organization in some way. It is a structural class and is derived
/ from the organizationalPerson which is defined in X.521 [X521].
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $Custom-Attr-CA )
)

attempt /2:

customSchemaFiles:
inetorgperson.ldif: |-
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $Custom-Attr-CA )
)

attempt /3:

customSchemaFiles:
inetorgperson.ldif: |-
dn: cn=inetorgperson,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: inetorgperson
olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC2798: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'RFC2798: identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RFC2798: numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' DESC 'RFC2798: PKCS/7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2798: personal identity information, a PKCS /12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
olcAttributeTypes: ( 2.16.840.1.113730.3.1.5 NAME 'Custom-Attr-CA' DESC 'Custom-Attr-CA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 $Custom-Attr-CA ) )