On 03/26/2015 03:19 PM, Timothy Worman wrote:
On Mar 26, 2015, at 11:42 AM, Martin Kosek <mko...@redhat.com> wrote:
On 03/26/2015 07:37 PM, Timothy Worman wrote:
Thanks everyone for the input.
I do agree that I don’t like the sound of option 1. I don’t want to be sending
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
2 sounds like the most solid option available right now. I like the fact that
there’s an existing/working API there. I’ll need to look into converting my
objects into json.
This area honestly seems like one of the weakest aspects of freeipa. There
really needs to be a way to push known person entities into the directory
There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as
an easy way to manipulate the entries (besides CLI and Web UI). In Python,
adding new user is that easy:
from ipalib import api
from ipalib import errors
api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
What way would you suggest to make it more conforming to your use case? Are you
suggesting REST interface doing the above or something else?
Oh, I think the JSON option is the best one currently available. But I do think
REST-ful service would be a good idea.
I would be willing to test option 4 if that is where the future is headed.
Ok, just note that this still means LDAP interface a need to talk in LDAP
This may not be a bad thing if you’re using an ORM like Webobjects/EOF or
Cayenne since you can model those ldap entities and simply set their attributes
and insert. At a lower level JNDI will handle it. I personally prefer this over
building strings, sending commands, etc.
So this will be ready upstream within several weeks or so. Would you
test it once it it is available before the official upstream release?
On Mar 24, 2015, at 12:58 AM, Martin Kosek <mko...@redhat.com> wrote:
On 03/24/2015 01:29 AM, Dmitri Pal wrote:
On 03/23/2015 05:56 PM, Timothy Worman wrote:
I have an existing web app built with java/WebObjects that currently handles
some user/groups tasks with our current directory server (Open Directory). We
are investigating a move to FreeIPA for our directory services.
Just in mucking around, I’ve found that if I try to insert a new user
(inetOrgPerson) into into IPA’s implementation, the new user does not inherit
all the object classes it should. It only inherits the ones leading to
inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
that user record does not show up in the Web GUI management tools.
Usually, I have focused on inetOrgPerson because that is where the bulk of
the info about a user lives.
We have a SQL database that contains people in our organization (used by
other services), so, we need to be able to leverage that and push users into
IPA when appropriate and we have an existing app to do this.
You have several options:
1) Call ipa CLI from your application - this is possible right now (but not
2) Call ipa JSON API from your application - this is not supported but
possible. We use python API. You can do it in Java but it will be a lot of work.
3) Use more elaborate LDAP add commands (with all the object classes needed for
users). Hard, but doable.
4) Help us with testing the upcoming feature
http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
creating users via simple ldap command in a staging area and them moving them
to normal users area with automatic creation of missing attributes by means of
a cron job.
I would vote for 1) as a temp solution and 4) as a longer term one.
I do not fully agree with preferring 1) over 2). Java has libraries for
JSON-RPC protocol, it should be pretty doable to write a call that calls the
We are lacking proper documentation for the API, but what you can look in the
sources or in the Web UI with and see the JSONs sent to the server, if you are
interested in the real life examples.
Advantage of 2) over 1) is that you get the native objects (strings, arrays,
numbers) and you do not need to parse it from CLI.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project