On 31/01/2014 12:52, Dmitri Pal wrote:
On 01/31/2014 05:03 AM, Martin Kosek wrote:
On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote:
On 30/01/2014 19:25, Dmitri Pal wrote:
On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote:
To call into IPA you can use "ipa ..." command line or use out API from
python client. Since you are using Java calling into "ipa" command is
probably the best option.
Actually, a RESTful interface (HTTP/JSON) would better suit our development
model and deployment scenarios.
FreeIPA does not have (currently) not RESTful interface (though it is being
partially designed in [8]). However it has a Kerberos-protected
JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the
I suggest that you look at the implementation of [8] and create a user
provisioning smart proxy similar to it.
This proxy would expose the REST API that can be consumed by your
connector or some other system and will be a part of IPA.
Internally proxy will call JSON RPC against IPA and have all the
"busyness logic".
So the recommendation is to make your connector lightwight and leverage
a proxy that can be reused by other systems.

Are you saying that we should split our development in two:

(1) smart proxy, exposing the RESTful interface, developed on the basis of [8]

(2) actual ConnId connector, dealing with the proxy above for implementing its own logic

If so, could you please point to the source code of [8]?
Will then this eventually become part of FreeIPA?

I am actually not sure if it is "lightweight" connector could actually be better than a "loaded" connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen.

We do not, however, have a good (read "none") documentation of the interface,
see related discussion in freeipa-users list [6].
And would appreciate if you start a wiki page to record it as you go so
that we can start documenting it.

In future we plan to allow insertion of the users via an ldap command
https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for
this spring.

What are other use cases and workflows you have?
Do you have a password reset self service?
If you do it might be nice external addition to FreeIPA if it integrates
into the UI seamlessly.
The idea is to deploy the latest FreeIPA version in our lab, start playing with
it and come to this list for asking for more information we are not able to
find in the wiki (just to avoid some graceful RTFMs...).
Then, every time we get something working, we will also check here whether we
are heading into the right direction, if we are missing some important points,

Does it sound?
Sounds good to me, you should be able to find all documentation links in [7].

[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
[3] http://java.net/projects/identityconnectors/
[4] https://github.com/Tirasa/ConnIdFreeIPABundle
[6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
[7] http://www.freeipa.org/page/Documentation
[8] http://www.freeipa.org/page/V3/Smart_Proxy

Francesco Chicchiriccò

Tirasa - Open Source Excellence

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PPMC

Freeipa-devel mailing list

Reply via email to