Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: > Hi all, > I am PMC chair at Apache Syncope [1], an Open Source system for > managing digital identities in enterprise environments, implemented in > JEE technology and released under Apache 2.0 license. > > Apache Syncope can be classified as provisioning engine, and its duty > can be summarized as keeping synchronized account data across > different identity datastores (RDBMS, LDAP, Active Directory, ). > > For the actual communication with such external identity datastores, > Apache Syncope relies upon ConnId [2], an Open Source fork of Sun > Microsystem's Identity Connectors framework [3], left dead after Sun's > acquisition by Oracle. > I am also project owner at ConnId. > > My company Tirasa is about to start the development of a FreeIPA > ConnId connector [4] that would allow the integration of FreeIPA into > Apache Syncope-based IdM architectures. > > We are currently installing and testing FreeIPA in order to understand > what is the better way to implement the communication with Syncope: do > you have any suggestion about where to start from? > Thanks. > Can you please list provisioning use cases that you want to support? Add user? Edit user? Reset password? Keep in mind that after password is set for a user user needs to change it on the first login. This is done to make sure that no one can impersonate user and password is not know outside the system. So this is one of the first hurdles you need to deal with, i.e. fire and forget and not try to use password for anything else in IPA use case. To call into IPA you can use "ipa ..." command line or use out API from python client. Since you are using Java calling into "ipa" command is probably the best option. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. > Best regards. > > [1] http://syncope.apache.org/ > [2] http://tirasa.github.io/ConnId/ > [3] http://java.net/projects/identityconnectors/ > [4] https://github.com/Tirasa/ConnIdFreeIPABundle > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 455 Fallback to global policy in ipa-lockout plugin
Martin Kosek wrote: krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085 NACK. I think you should include the value of krberr in error messages (we aren't exactly consistent in this elsewhere in the code but we need to start somewhere). You check the wrong value after the krb5_get_default_realm() call. It is probably better to use slapi_ch_free_string() than free(). At some point we'll need a common library where this sort of operation can be done. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
Hi all, I am PMC chair at Apache Syncope [1], an Open Source system for managing digital identities in enterprise environments, implemented in JEE technology and released under Apache 2.0 license. Apache Syncope can be classified as provisioning engine, and its duty can be summarized as keeping synchronized account data across different identity datastores (RDBMS, LDAP, Active Directory, ). For the actual communication with such external identity datastores, Apache Syncope relies upon ConnId [2], an Open Source fork of Sun Microsystem's Identity Connectors framework [3], left dead after Sun's acquisition by Oracle. I am also project owner at ConnId. My company Tirasa is about to start the development of a FreeIPA ConnId connector [4] that would allow the integration of FreeIPA into Apache Syncope-based IdM architectures. We are currently installing and testing FreeIPA in order to understand what is the better way to implement the communication with Syncope: do you have any suggestion about where to start from? Thanks. Best regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 455 Fallback to global policy in ipa-lockout plugin
krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085 -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 56e537f4b1bc0cc557585b0de46bdb9e1ec2ff60 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 30 Jan 2014 16:58:25 +0100 Subject: [PATCH] Fallback to global policy in ipa-lockout plugin krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085 --- .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 34 ++ 1 file changed, 34 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5f64ca777847a327fdb6b0545bc2ccf4b7be3af4 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -49,6 +49,7 @@ #include #include "slapi-plugin.h" #include "nspr.h" +#include #include "util.h" @@ -81,6 +82,8 @@ static int g_plugin_started = 0; static struct ipa_context *global_ipactx = NULL; +static char *ipa_global_policy = NULL; + #define GENERALIZED_TIME_LENGTH 15 /** @@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx) Slapi_Attr *attr = NULL; char *dn = NULL; char *basedn = NULL; +char *realm = NULL; Slapi_DN *sdn; Slapi_Entry *config_entry; +krb5_context krbctx = NULL; +krb5_error_code krberr; int ret; /* Get cn=config so we can get the default naming context */ @@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx) goto done; } +krberr = krb5_init_context(&krbctx); +if (krberr) { +LOG_FATAL("krb5_init_context failed\n"); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + +krberr = krb5_get_default_realm(krbctx, &realm); +if (ret) { +LOG_FATAL("Failed to get default realm?!\n"); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + +ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", + realm, basedn); +if (!ipa_global_policy) { +LOG_OOM(); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn); if (ret == -1) { LOG_OOM(); @@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx) done: if (config_entry) slapi_entry_free(config_entry); +free(realm); +krb5_free_context(krbctx); free(dn); free(basedn); return ret; @@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry, slapi_valueset_first_value(*values, &sv); *policy_dn = slapi_value_get_string(sv); } +} else { +*policy_dn = ipa_global_policy; } if (*policy_dn == NULL) { @@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb) { LOG_TRACE( "--in-->\n"); +free(ipa_global_policy); + LOG_TRACE("<--out--\n"); return EOK; -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0009-0011] Replace existing domain names and non-private IP addresses in tests
On 01/30/2014 01:11 PM, Petr Spacek wrote: Hello, now DNS tests behave like a good citizen of Internet. (... And it will simplify patches for bind-dyndb-ldap 4.0.) https://fedorahosted.org/freeipa/ticket/4139 Thanks for cleaning up! ACK, pushed to master: df3fa943abf58f2ad02919ecb1b199f3ff6d510b -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel