> On Mar 26, 2015, at 3:08 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 03/26/2015 03:19 PM, Timothy Worman wrote:
>> On Mar 26, 2015, at 11:42 AM, Martin Kosek <mko...@redhat.com> wrote:
>>> On 03/26/2015 07:37 PM, Timothy Worman wrote:
>>>> Thanks everyone for the input.
>>>> I do agree that I don’t like the sound of option 1. I don’t want to be 
>>>> sending CLI commands from a remote host. And option 3 sounds sounds a bit 
>>>> brittle to me.
>>>> 2 sounds like the most solid option available right now. I like the fact 
>>>> that there’s an existing/working API there. I’ll need to look into 
>>>> converting my objects into json.
>>>> This area honestly seems like one of the weakest aspects of freeipa. There 
>>>> really needs to be a way to push known person entities into the directory 
>>>> easily.
>>> There may be some disconnect, the JSONRPC/XMLRPC API is the way we still 
>>> see as an easy way to manipulate the entries (besides CLI and Web UI). In 
>>> Python, adding new user is that easy:
>>> ~~~
>>> from ipalib import api
>>> from ipalib import errors
>>> api.bootstrap(context='cli')
>>> api.finalize()
>>> api.Backend.rpcclient.connect()
>>> api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
>>> ~~~
>>> What way would you suggest to make it more conforming to your use case? Are 
>>> you suggesting REST interface doing the above or something else?
>> Oh, I think the JSON option is the best one currently available. But I do 
>> think REST-ful service would be a good idea.
>>> I would be willing to test option 4 if that is where the future is headed.
>>> Ok, just note that this still means LDAP interface a need to talk in LDAP 
>>> protocol.
>> This may not be a bad thing if you’re using an ORM like Webobjects/EOF or 
>> Cayenne since you can model those ldap entities and simply set their 
>> attributes and insert. At a lower level JNDI will handle it. I personally 
>> prefer this over building strings, sending commands, etc.
> So this will be ready upstream within several weeks or so. Would you test it 
> once it it is available before the official upstream release?

Hi Dmitri - following up on this to see how progress is going on this project. 
I am definitely still interested in testing this. In the meantime, I have been 
pursuing http client calls posting json. And I have some questions I need to 
pursue on that as well. Should I take this to freeipa-devel?


>> Tim
>>>> Tim
>>>>> On Mar 24, 2015, at 12:58 AM, Martin Kosek <mko...@redhat.com> wrote:
>>>>> On 03/24/2015 01:29 AM, Dmitri Pal wrote:
>>>>>> On 03/23/2015 05:56 PM, Timothy Worman wrote:
>>>>>>> I have an existing web app built with java/WebObjects that currently 
>>>>>>> handles
>>>>>>> some user/groups tasks with our current directory server (Open 
>>>>>>> Directory). We
>>>>>>> are investigating a move to FreeIPA for our directory services.
>>>>>>> Just in mucking around, I’ve found that if I try to insert a new user
>>>>>>> (inetOrgPerson) into into IPA’s implementation, the new user does not 
>>>>>>> inherit
>>>>>>> all the object classes it should. It only inherits the ones leading to
>>>>>>> inetOrgPerson. This does result in a successful inetOrgPerson 
>>>>>>> insertion, but
>>>>>>> that user record does not show up in the Web GUI management tools.
>>>>>>> Usually, I have focused on inetOrgPerson because that is where the bulk 
>>>>>>> of
>>>>>>> the info about a user lives.
>>>>>>> We have a SQL database that contains people in our organization (used by
>>>>>>> other services), so, we need to be able to leverage that and push users 
>>>>>>> into
>>>>>>> IPA when appropriate and we have an existing app to do this.
>>>>>>> Tim W
>>>>>> You have several options:
>>>>>> 1) Call ipa CLI from your application - this is possible right now (but 
>>>>>> not
>>>>>> quite nice)
>>>>>> 2) Call ipa JSON API from your application - this is not supported but
>>>>>> possible. We use python API. You can do it in Java but it will be a lot 
>>>>>> of work.
>>>>>> 3) Use more elaborate LDAP add commands (with all the object classes 
>>>>>> needed for
>>>>>> users). Hard, but doable.
>>>>>> 4) Help us with testing the upcoming feature
>>>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would 
>>>>>> allow
>>>>>> creating users via simple ldap command in a staging area and them moving 
>>>>>> them
>>>>>> to normal users area with automatic creation of missing attributes by 
>>>>>> means of
>>>>>> a cron job.
>>>>>> I would vote for 1) as a temp solution and 4) as a longer term one.
>>>>> I do not fully agree with preferring 1) over 2). Java has libraries for
>>>>> JSON-RPC protocol, it should be pretty doable to write a call that calls 
>>>>> the
>>>>> "user_add" command.
>>>>> We are lacking proper documentation for the API, but what you can look in 
>>>>> the
>>>>> sources or in the Web UI with and see the JSONs sent to the server, if 
>>>>> you are
>>>>> interested in the real life examples.
>>>>> Advantage of 2) over 1) is that you get the native objects (strings, 
>>>>> arrays,
>>>>> numbers) and you do not need to parse it from CLI.
>>>>> Martin
> -- 
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to