On Wed, 2013-02-13 at 09:35 -0500, Dmitri Pal wrote:
> On 02/13/2013 12:47 AM, It Meme wrote: 

> > Could there be anyway that accounts can be provisioned to IPA, via
> > LDAP, from existing IAM system?
> > 
> > 
> > The newly provisioned accounts can be temporarily stored in IPA's
> > 389 Directory Server, and subsequently an automated task can IPA-ize
> > the accounts (i.e. via the Python libraries). The accounts that have
> > not been IPA-ized will be provisioned in a disabled state (i.e.
> > users will be not using them).
> > 
> > 
> > After accounts have been IPA-ize, account attributes, such as
> > 'givenName', 'password', 'membershipOf', can be managed by LDAP from
> > the central IAM system.

> IMO a solution might be to do something like this:
> https://fedorahosted.org/freeipa/ticket/1593
> You create a plugin for DS to intercept the changes and send them over
> DBUS or socket
> So the whole thing would work like this:
> You create a different tree for accounts managed by the external
> system for example under cn=ext, ...
> You create a plugin that would intercept add, delete and modify
> commands and would also send these over the DBUS/Socket to a python
> service that would translate the changes into ipa user-add, ipa
> user-mod and ipa-user-del commands.
> The value of this approach is that would take advantage of the
> standard interfaces of both systems and have full control over the
> code you develop.
> Would that work for you?

I hadn't seen this reply yet, but I just proposed something similar on

However my proposal would avoid strange back and forth with temporary
objects and so on.

It Meme,
if you are interested in helping in this direction please subscribe to
freeipa-devel and follow this thread: 


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to