Hi all, We have found something out.
When you add a user (like cmdtestuser) to FreeIPA and add it to group: - admins - trust admins - editors And you add this same useraccount to a Linux box and do a "su cmdtestuser" you are able to do a "kinit" abd give your password that user has in FreeIPA. After this you can run a curl script from the commandline with a "add_user" and actually add that user to IPA. So that works. That is what we actually want to do from PHP but testing this with a HTTP/HTTPD user in IPA doesn't work. Shouldn't that be possible ? I hope so! Cheers, Matt 2013/7/26 Petr Vobornik <pvobo...@redhat.com> > On 07/26/2013 04:37 PM, Rob Crittenden wrote: > >> Zip Ly wrote: >> >>> >>> Normally if IPA has a well documented API then my approach would be: >>> user --> (internet) --> webserver --> lPA API --> IPA server >>> But since there isn't much info about the API then my approach would be: >>> user --> (internet) --> webserver --> a PHP script which acts as an >>> custom API --> IPA server >>> The problem is I don't know which commands are available en which >>> values/params I should send. For example: >>> http://www.freeipa.org/docs/1.**2/Administrators_Reference/en-** >>> US/html/chap-Administration_**Reference-XML_RPC_Application_** >>> Programming_Interface_API_**Documentation.html#<http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#> >>> >>> These are commands for xml rpc. Without examples it's difficult to find >>> out how to use it. >>> >> >> The API changed between v1 and v2/3, so these docs are not right for >> your purposes. >> >> We haven't formally documented the API (either json or xml-rpc) yet >> because it is still somewhat in flux. The API is baked into the ipa >> client, so any command you can run from there is the equivalent of a >> json/xml-rpc command, just substituting underscore for dash. >> >> About the closest we have is API.txt in the source tree. This is really >> designed to be read by a computer but it outlines each command and the >> options it takes, and the output it returns. >> >> But they are different from this example: >>> http://adam.younglogic.com/**2010/07/talking-to-freeipa-** >>> json-web-api-via-curl/<http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/> >>> >>> In this example a "user_find" command is used, but this command cannot >>> be found in the official xml rpc document above. >>> In ssh I can display a list of commands with "ipa help commands" I don't >>> know if they are all supported in "/ipa/json" I probably need to replace >>> all dashes with underscores (correct me if I'm wrong). >>> >> >> The same commands and options are available over json as xml-rpc. >> >> If I want to display all the supported params from one certain command >>> for example "ipa help user-find". Then, are all the double dashed params >>> also the supported params which I can send with JSON? >>> >> >> Yes. >> > > Note that for some LDAP attributes dash param names may be different than > API option names. It those cases the correct one is LDAP attribute name. > > Use `ipa show-mappings command-name` to find the correct names. > > > >> I prefer using the native API if there is one (hidden somewhere), >>> because I don't want to reinvent the wheel with security leaks which I'm >>> not aware of. Especially when I need to execute CLI commands from >>> the PHP scripts. >>> >> >> The native API is json/xml-rpc. They are currently equivalent. In the >> near future we are going to mark xml-rpc as deprecated and it will start >> to fall behind in features, and eventually we may drop it altogether. >> >> rob >> >> > -- > Petr Vobornik > > > ______________________________**_________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users