On 30/01/2014 19:25, Dmitri Pal wrote:
On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote:
Hi all,
I am PMC chair at Apache Syncope [1], an Open Source system for
managing digital identities in enterprise environments, implemented in
JEE technology and released under Apache 2.0 license.

Apache Syncope can be classified as provisioning engine, and its duty
can be summarized as keeping synchronized account data across
different identity datastores (RDBMS, LDAP, Active Directory, ....).

For the actual communication with such external identity datastores,
Apache Syncope relies upon ConnId [2], an Open Source fork of Sun
Microsystem's Identity Connectors framework [3], left dead after Sun's
acquisition by Oracle.
I am also project owner at ConnId.

My company Tirasa is about to start the development of a FreeIPA
ConnId connector [4] that would allow the integration of FreeIPA into
Apache Syncope-based IdM architectures.

We are currently installing and testing FreeIPA in order to understand
what is the better way to implement the communication with Syncope: do
you have any suggestion about where to start from?
Can you please list provisioning use cases that you want to support?
Add user?
Edit user?
Reset password?

Basically we are planning to implement all identity operations defined by the ConnId framework [5], e.g.:


for ACCOUNTs and GROUPs; some of such operations (SYNC, for example) is usually more complex than others. It will be then Syncope's business to build high-level identity operations on top of these primitives, as it does with existing connectors, in a technology-agnostic way.

Keep in mind that after password is set for a user user needs to change
it on the first login. This is done to make sure that no one can
impersonate user and password is not know outside the system. So this is
one of the first hurdles you need to deal with, i.e. fire and forget and
not try to use password for anything else in IPA use case.

This seems to be the first custom requirement of this connector, if compared with existing ones: good to know :-)

To call into IPA you can use "ipa ..." command line or use out API from
python client. Since you are using Java calling into "ipa" command is
probably the best option.

Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios.

In future we plan to allow insertion of the users via an ldap command
https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for
this spring.

What are other use cases and workflows you have?
Do you have a password reset self service?
If you do it might be nice external addition to FreeIPA if it integrates
into the UI seamlessly.

The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc.

Does it sound?


[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
[3] http://java.net/projects/identityconnectors/
[4] https://github.com/Tirasa/ConnIdFreeIPABundle
[5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html

Francesco Chicchiriccò

Tirasa - Open Source Excellence

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PPMC

Freeipa-devel mailing list

Reply via email to