On Wed, 2013-02-13 at 09:35 -0500, Dmitri Pal wrote:
> On 02/13/2013 12:47 AM, It Meme wrote: 

> > Could there be anyway that accounts can be provisioned to IPA, via
> > LDAP, from existing IAM system?
> > 
> > 
> > The newly provisioned accounts can be temporarily stored in IPA's
> > 389 Directory Server, and subsequently an automated task can IPA-ize
> > the accounts (i.e. via the Python libraries). The accounts that have
> > not been IPA-ized will be provisioned in a disabled state (i.e.
> > users will be not using them).
> > 
> > 
> > After accounts have been IPA-ize, account attributes, such as
> > 'givenName', 'password', 'membershipOf', can be managed by LDAP from
> > the central IAM system.


> IMO a solution might be to do something like this:
> https://fedorahosted.org/freeipa/ticket/1593
> You create a plugin for DS to intercept the changes and send them over
> DBUS or socket
> 
> So the whole thing would work like this:
> You create a different tree for accounts managed by the external
> system for example under cn=ext, ...
> You create a plugin that would intercept add, delete and modify
> commands and would also send these over the DBUS/Socket to a python
> service that would translate the changes into ipa user-add, ipa
> user-mod and ipa-user-del commands.
> 
> The value of this approach is that would take advantage of the
> standard interfaces of both systems and have full control over the
> code you develop.
> 
> Would that work for you?
> 

I hadn't seen this reply yet, but I just proposed something similar on
freeipa-devel.

However my proposal would avoid strange back and forth with temporary
objects and so on.

It Meme,
if you are interested in helping in this direction please subscribe to
freeipa-devel and follow this thread: 
https://www.redhat.com/archives/freeipa-devel/2013-February/msg00149.html

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to