> On Mar 26, 2015, at 3:08 PM, Dmitri Pal <d...@redhat.com> wrote: > > On 03/26/2015 03:19 PM, Timothy Worman wrote: >> On Mar 26, 2015, at 11:42 AM, Martin Kosek <mko...@redhat.com> wrote: >>> On 03/26/2015 07:37 PM, Timothy Worman wrote: >>>> Thanks everyone for the input. >>>> >>>> I do agree that I don’t like the sound of option 1. I don’t want to be >>>> sending CLI commands from a remote host. And option 3 sounds sounds a bit >>>> brittle to me. >>>> >>>> 2 sounds like the most solid option available right now. I like the fact >>>> that there’s an existing/working API there. I’ll need to look into >>>> converting my objects into json. >>>> >>>> This area honestly seems like one of the weakest aspects of freeipa. There >>>> really needs to be a way to push known person entities into the directory >>>> easily. >>> There may be some disconnect, the JSONRPC/XMLRPC API is the way we still >>> see as an easy way to manipulate the entries (besides CLI and Web UI). In >>> Python, adding new user is that easy: >>> >>> ~~~ >>> from ipalib import api >>> from ipalib import errors >>> >>> api.bootstrap(context='cli') >>> api.finalize() >>> api.Backend.rpcclient.connect() >>> api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') >>> ~~~ >>> >>> What way would you suggest to make it more conforming to your use case? Are >>> you suggesting REST interface doing the above or something else? >> Oh, I think the JSON option is the best one currently available. But I do >> think REST-ful service would be a good idea. >> >>> I would be willing to test option 4 if that is where the future is headed. >>> >>> Ok, just note that this still means LDAP interface a need to talk in LDAP >>> protocol. >> This may not be a bad thing if you’re using an ORM like Webobjects/EOF or >> Cayenne since you can model those ldap entities and simply set their >> attributes and insert. At a lower level JNDI will handle it. I personally >> prefer this over building strings, sending commands, etc. > > So this will be ready upstream within several weeks or so. Would you test it > once it it is available before the official upstream release?
Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel? Tim > >> Tim >> >>>> Tim >>>> >>>>> On Mar 24, 2015, at 12:58 AM, Martin Kosek <mko...@redhat.com> wrote: >>>>> >>>>> On 03/24/2015 01:29 AM, Dmitri Pal wrote: >>>>>> On 03/23/2015 05:56 PM, Timothy Worman wrote: >>>>>>> I have an existing web app built with java/WebObjects that currently >>>>>>> handles >>>>>>> some user/groups tasks with our current directory server (Open >>>>>>> Directory). We >>>>>>> are investigating a move to FreeIPA for our directory services. >>>>>>> >>>>>>> Just in mucking around, I’ve found that if I try to insert a new user >>>>>>> (inetOrgPerson) into into IPA’s implementation, the new user does not >>>>>>> inherit >>>>>>> all the object classes it should. It only inherits the ones leading to >>>>>>> inetOrgPerson. This does result in a successful inetOrgPerson >>>>>>> insertion, but >>>>>>> that user record does not show up in the Web GUI management tools. >>>>>>> >>>>>>> Usually, I have focused on inetOrgPerson because that is where the bulk >>>>>>> of >>>>>>> the info about a user lives. >>>>>>> >>>>>>> We have a SQL database that contains people in our organization (used by >>>>>>> other services), so, we need to be able to leverage that and push users >>>>>>> into >>>>>>> IPA when appropriate and we have an existing app to do this. >>>>>>> >>>>>>> Tim W >>>>>>> >>>>>> You have several options: >>>>>> 1) Call ipa CLI from your application - this is possible right now (but >>>>>> not >>>>>> quite nice) >>>>>> 2) Call ipa JSON API from your application - this is not supported but >>>>>> possible. We use python API. You can do it in Java but it will be a lot >>>>>> of work. >>>>>> 3) Use more elaborate LDAP add commands (with all the object classes >>>>>> needed for >>>>>> users). Hard, but doable. >>>>>> 4) Help us with testing the upcoming feature >>>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would >>>>>> allow >>>>>> creating users via simple ldap command in a staging area and them moving >>>>>> them >>>>>> to normal users area with automatic creation of missing attributes by >>>>>> means of >>>>>> a cron job. >>>>>> >>>>>> I would vote for 1) as a temp solution and 4) as a longer term one. >>>>> I do not fully agree with preferring 1) over 2). Java has libraries for >>>>> JSON-RPC protocol, it should be pretty doable to write a call that calls >>>>> the >>>>> "user_add" command. >>>>> >>>>> We are lacking proper documentation for the API, but what you can look in >>>>> the >>>>> sources or in the Web UI with and see the JSONs sent to the server, if >>>>> you are >>>>> interested in the real life examples. >>>>> >>>>> Advantage of 2) over 1) is that you get the native objects (strings, >>>>> arrays, >>>>> numbers) and you do not need to parse it from CLI. >>>>> >>>>> Martin > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project