Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
Hi guys, I hope to explain in a few words what we are doing with ConnID and IPA. Comments in-line. On 03/10/2014 10:57 PM, Dmitri Pal wrote: On 03/10/2014 03:14 PM, Petr Viktorin wrote: On 03/10/2014 07:17 PM, Dmitri Pal wrote: On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: [...] I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. ^ quote left here deliberately [...] We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. For user provisioning you do not need a full REST api. You need to have a similar proxy but just for user related operations. So the smart proxy can be used as a model to do what you need to implement for Syncope integration. You'd be building two bridges (IPA--REST REST--ConnID) when you could build just one. Unless you already have a suitable generic REST connector already, I don't think it's your best option. From this thread it seems to me that JSON-RPC--ConnID would not require significantly more work than just the REST--ConnID part. What are the operations you need to implement? Can you list them? They were listed earlier in the thread, and [5]. It is usually easy to take something that is already working like smart proxy and change the entry points to the ones that you need. I am not familiar with the architecture of the connectors. Are they separate processes? Are they daemons? Are they forked per request? Connection to IPA needs to be authenticated. If the connection to IPA happens from a single process like smart proxy you do not need to worry about machinery related to authentication and session managment. It is already implemented. This is why I was suggesting to use smart proxy. IMO REST vs. JSON is not that big deal. They are similar. Doing things right from the authentication POV and session management are much harder. But if we do not see a value in using smart proxy even like a reference point for ConnID I would not insist. Basically a ConnID bundle (ConnID is framework used by Apache Syncope to connect the external resources) is a Java library developed to invoke the following operations from Apache Syncope to the target resource: AUTHENTICATE CREATE UPDATE UPDATE_ATTRIBUTE_VALUES DELETE RESOLVE_USERNAME SCHEMA SEARCH SYNC TEST For example, ConnID already has an Active Directory bundle [9] and an LDAP bundle [10]. As you already know, our goal is to develop a new bundle to invoke the provisioning operations on IPA server installation. From ConnID development point of view, the first thing is to choose a right way (to read protocol/interfaces) to communicate with the server. Briefly the right way needs: *) a long term support interfaces; *) an interfaces that allows all user / group provisioning operations; *) a way which leaves ConnID developers totally independent from (in this case) the FreeIPA development. Starting from this introduction we think that the right way is to use JSON-RPC interfaces, with particular attention to authentication and session management, as suggested by you. Do we have to consider other critical factors before starting to work? Massi Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Have you looked at JSON-RPC interface mentioned earlier in this thread, and [6]? It might be
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 03/11/2014 11:29 AM, Massimiliano Perrone wrote: Hi guys, I hope to explain in a few words what we are doing with ConnID and IPA. Comments in-line. On 03/10/2014 10:57 PM, Dmitri Pal wrote: On 03/10/2014 03:14 PM, Petr Viktorin wrote: On 03/10/2014 07:17 PM, Dmitri Pal wrote: On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: [...] I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. ^ quote left here deliberately [...] We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. For user provisioning you do not need a full REST api. You need to have a similar proxy but just for user related operations. So the smart proxy can be used as a model to do what you need to implement for Syncope integration. You'd be building two bridges (IPA--REST REST--ConnID) when you could build just one. Unless you already have a suitable generic REST connector already, I don't think it's your best option. From this thread it seems to me that JSON-RPC--ConnID would not require significantly more work than just the REST--ConnID part. What are the operations you need to implement? Can you list them? They were listed earlier in the thread, and [5]. It is usually easy to take something that is already working like smart proxy and change the entry points to the ones that you need. I am not familiar with the architecture of the connectors. Are they separate processes? Are they daemons? Are they forked per request? Connection to IPA needs to be authenticated. If the connection to IPA happens from a single process like smart proxy you do not need to worry about machinery related to authentication and session managment. It is already implemented. This is why I was suggesting to use smart proxy. IMO REST vs. JSON is not that big deal. They are similar. Doing things right from the authentication POV and session management are much harder. But if we do not see a value in using smart proxy even like a reference point for ConnID I would not insist. Basically a ConnID bundle (ConnID is framework used by Apache Syncope to connect the external resources) is a Java library developed to invoke the following operations from Apache Syncope to the target resource: AUTHENTICATE CREATE UPDATE UPDATE_ATTRIBUTE_VALUES DELETE RESOLVE_USERNAME SCHEMA SEARCH SYNC TEST For example, ConnID already has an Active Directory bundle [9] and an LDAP bundle [10]. As you already know, our goal is to develop a new bundle to invoke the provisioning operations on IPA server installation. From ConnID development point of view, the first thing is to choose a right way (to read protocol/interfaces) to communicate with the server. Briefly the right way needs: *) a long term support interfaces; *) an interfaces that allows all user / group provisioning operations; *) a way which leaves ConnID developers totally independent from (in this case) the FreeIPA development. Starting from this introduction we think that the right way is to use JSON-RPC interfaces, with particular attention to authentication and session management, as suggested by you. Do we have to consider other critical factors before starting to work? This seems reasonable. Here are some other questions that you might want to ask yourself starting the work. http://www.freeipa.org/page/General_considerations (there is no intent to scare you :-) ) HTH Dmitri Massi Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic Correct If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? Quite soon. I would leave it to the team to suggest whether user and host provisioning smart proxies should be a same smart proxy or different so that they can be installed independently from each other but use the same approach. IMO haveing them separately but share the same code and approach will be more valuable to the project. But I am open to other ideas here. I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. If done right: i.e. following process and style then yes. Please become familiar with the coding style [9] page on the wiki and other contributer guidelines [10]. Also having a design page created as a result of the preliminary investigation would go a long way towards acceptance and quality of the feature. We will gladly guide you on the way if you have specific questions [...] Ok then, we'll do it as follows. We are currently experimenting with FreeIPA, to get familiar with technology and options; once we will be confident enough to start the actual work on the connector, we will check the status of the smart proxy patches from [11]. If the implementation status will be close to be ready and about to be included in the official distribution, we will follow the suggestions above and develop a REST-based connector. We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Have you looked at JSON-RPC interface mentioned earlier in this thread, and [6]? It might be cleaner to use that than the command-line interface. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic Correct If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? Quite soon. I would leave it to the team to suggest whether user and host provisioning smart proxies should be a same smart proxy or different so that they can be installed independently from each other but use the same approach. IMO haveing them separately but share the same code and approach will be more valuable to the project. But I am open to other ideas here. I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. If done right: i.e. following process and style then yes. Please become familiar with the coding style [9] page on the wiki and other contributer guidelines [10]. Also having a design page created as a result of the preliminary investigation would go a long way towards acceptance and quality of the feature. We will gladly guide you on the way if you have specific questions [...] Ok then, we'll do it as follows. We are currently experimenting with FreeIPA, to get familiar with technology and options; once we will be confident enough to start the actual work on the connector, we will check the status of the smart proxy patches from [11]. If the implementation status will be close to be ready and about to be included in the official distribution, we will follow the suggestions above and develop a REST-based connector. We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. For user provisioning you do not need a full REST api. You need to have a similar proxy but just for user related operations. So the smart proxy can be used as a model to do what you need to implement for Syncope integration. What are the operations you need to implement? Can you list them? Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Have you looked at JSON-RPC interface mentioned earlier in this thread, and [6]? It might be cleaner to use that than the command-line interface. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 03/10/2014 07:17 PM, Dmitri Pal wrote: On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: [...] I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. ^ quote left here deliberately [...] We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. For user provisioning you do not need a full REST api. You need to have a similar proxy but just for user related operations. So the smart proxy can be used as a model to do what you need to implement for Syncope integration. You'd be building two bridges (IPA--REST REST--ConnID) when you could build just one. Unless you already have a suitable generic REST connector already, I don't think it's your best option. From this thread it seems to me that JSON-RPC--ConnID would not require significantly more work than just the REST--ConnID part. What are the operations you need to implement? Can you list them? They were listed earlier in the thread, and [5]. Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Have you looked at JSON-RPC interface mentioned earlier in this thread, and [6]? It might be cleaner to use that than the command-line interface. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 03/10/2014 03:14 PM, Petr Viktorin wrote: On 03/10/2014 07:17 PM, Dmitri Pal wrote: On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote: Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org mailto:ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: [...] I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. ^ quote left here deliberately [...] We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. I'm reviewing the Foreman Smart proxy patches now. They're not in the FreeIPA repository yet. However the remaining issues were with packaging, code organization, naming. The Smart Proxy is now specific to Foreman provisioning; it is not a full REST interface so it will probably not support all operations you need. For a full REST interface, patches are welcome but the core FreeIPA team has other priorities at the moment. The RFE ticket is here: https://fedorahosted.org/freeipa/ticket/4168. For user provisioning you do not need a full REST api. You need to have a similar proxy but just for user related operations. So the smart proxy can be used as a model to do what you need to implement for Syncope integration. You'd be building two bridges (IPA--REST REST--ConnID) when you could build just one. Unless you already have a suitable generic REST connector already, I don't think it's your best option. From this thread it seems to me that JSON-RPC--ConnID would not require significantly more work than just the REST--ConnID part. What are the operations you need to implement? Can you list them? They were listed earlier in the thread, and [5]. It is usually easy to take something that is already working like smart proxy and change the entry points to the ones that you need. I am not familiar with the architecture of the connectors. Are they separate processes? Are they daemons? Are they forked per request? Connection to IPA needs to be authenticated. If the connection to IPA happens from a single process like smart proxy you do not need to worry about machinery related to authentication and session managment. It is already implemented. This is why I was suggesting to use smart proxy. IMO REST vs. JSON is not that big deal. They are similar. Doing things right from the authentication POV and session management are much harder. But if we do not see a value in using smart proxy even like a reference point for ConnID I would not insist. Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Have you looked at JSON-RPC interface mentioned earlier in this thread, and [6]? It might be cleaner to use that than the command-line interface. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
Hi all, Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò ilgro...@apache.org ha scritto: On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic Correct If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? Quite soon. I would leave it to the team to suggest whether user and host provisioning smart proxies should be a same smart proxy or different so that they can be installed independently from each other but use the same approach. IMO haveing them separately but share the same code and approach will be more valuable to the project. But I am open to other ideas here. I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. If done right: i.e. following process and style then yes. Please become familiar with the coding style [9] page on the wiki and other contributer guidelines [10]. Also having a design page created as a result of the preliminary investigation would go a long way towards acceptance and quality of the feature. We will gladly guide you on the way if you have specific questions [...] Ok then, we'll do it as follows. We are currently experimenting with FreeIPA, to get familiar with technology and options; once we will be confident enough to start the actual work on the connector, we will check the status of the smart proxy patches from [11]. If the implementation status will be close to be ready and about to be included in the official distribution, we will follow the suggestions above and develop a REST-based connector. We start to implementing a FreeIPA ConnId connector for Apache Syncope. We have to implement all identity operations defined by the ConnId framework. I would like to know the implementation status of the Smart/Proxy and if we can use it to all the identity operations. Thanks M Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Thanks for your support. Regards. [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy [1] http://syncope.apache.org/ [9] http://www.freeipa.org/page/Coding_Style [10] http://www.freeipa.org/page/Contribute/Code [11] https://fedorahosted.org/freeipa/ticket/4128 [12] https://github.com/Tirasa/ConnIdCMDBundle [13] https://connid.atlassian.net/wiki/display/BASE/Connector+Servers -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Dott. Marco Di Sabatino Di Diodoro Tel. +39 3939065570 Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member http://people.apache.org/~mdisabatino/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 31/01/2014 18:57, Dmitri Pal wrote: On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic Correct If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? Quite soon. I would leave it to the team to suggest whether user and host provisioning smart proxies should be a same smart proxy or different so that they can be installed independently from each other but use the same approach. IMO haveing them separately but share the same code and approach will be more valuable to the project. But I am open to other ideas here. I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. If done right: i.e. following process and style then yes. Please become familiar with the coding style [9] page on the wiki and other contributer guidelines [10]. Also having a design page created as a result of the preliminary investigation would go a long way towards acceptance and quality of the feature. We will gladly guide you on the way if you have specific questions [...] Ok then, we'll do it as follows. We are currently experimenting with FreeIPA, to get familiar with technology and options; once we will be confident enough to start the actual work on the connector, we will check the status of the smart proxy patches from [11]. If the implementation status will be close to be ready and about to be included in the official distribution, we will follow the suggestions above and develop a REST-based connector. Otherwise, we will instead specialize the CMD connector [12] to feature the FreeIPA command-line interface (as suggested at the beginning of this thread). There will be potentially need, in this case, to include the ConnId connector server into the Syncope deployment architecture, but this is a supported pattern. Thanks for your support. Regards. [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy [1] http://syncope.apache.org/ [9] http://www.freeipa.org/page/Coding_Style [10] http://www.freeipa.org/page/Contribute/Code [11] https://fedorahosted.org/freeipa/ticket/4128 [12] https://github.com/Tirasa/ConnIdCMDBundle [13] https://connid.atlassian.net/wiki/display/BASE/Connector+Servers -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/31/2014 05:03 AM, Martin Kosek wrote: On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. FreeIPA does not have (currently) not RESTful interface (though it is being partially designed in [8]). However it has a Kerberos-protected JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the server. For examples of working with it: http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ I found the Batch command especially helpful: it allows you to send multiple single commands in one remote call. Here are some sample data batch commands. They are old, and have not been tested in a few years, but they should give you a sense of how to do a few bascia things via the JSON-RPC interface. http://admiyo.fedorapeople.org/ipa/long_userlist.json http://admiyo.fedorapeople.org/ipa/sampledata-summit.json We do not, however, have a good (read none) documentation of the interface, see related discussion in freeipa-users list [6]. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Sounds good to me, you should be able to find all documentation links in [7]. Regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: Hi all, I am PMC chair at Apache Syncope [1], an Open Source system for managing digital identities in enterprise environments, implemented in JEE technology and released under Apache 2.0 license. Apache Syncope can be classified as provisioning engine, and its duty can be summarized as keeping synchronized account data across different identity datastores (RDBMS, LDAP, Active Directory, ). For the actual communication with such external identity datastores, Apache Syncope relies upon ConnId [2], an Open Source fork of Sun Microsystem's Identity Connectors framework [3], left dead after Sun's acquisition by Oracle. I am also project owner at ConnId. My company Tirasa is about to start the development of a FreeIPA ConnId connector [4] that would allow the integration of FreeIPA into Apache Syncope-based IdM architectures. We are currently installing and testing FreeIPA in order to understand what is the better way to implement the communication with Syncope: do you have any suggestion about where to start from? Thanks. Can you please list provisioning use cases that you want to support? Add user? Edit user? Reset password? Basically we are planning to implement all identity operations defined by the ConnId framework [5], e.g.: AUTHENTICATE CREATE UPDATE UPDATE_ATTRIBUTE_VALUES DELETE RESOLVE_USERNAME SCHEMA SEARCH SYNC TEST for ACCOUNTs and GROUPs; some of such operations (SYNC, for example) is usually more complex than others. It will be then Syncope's business to build high-level identity operations on top of these primitives, as it does with existing connectors, in a technology-agnostic way. Keep in mind that after password is set for a user user needs to change it on the first login. This is done to make sure that no one can impersonate user and password is not know outside the system. So this is one of the first hurdles you need to deal with, i.e. fire and forget and not try to use password for anything else in IPA use case. This seems to be the first custom requirement of this connector, if compared with existing ones: good to know :-) To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. FreeIPA does not have (currently) not RESTful interface (though it is being partially designed in [8]). However it has a Kerberos-protected JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the server. We do not, however, have a good (read none) documentation of the interface, see related discussion in freeipa-users list [6]. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Sounds good to me, you should be able to find all documentation links in [7]. Regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/31/2014 05:03 AM, Martin Kosek wrote: On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. FreeIPA does not have (currently) not RESTful interface (though it is being partially designed in [8]). However it has a Kerberos-protected JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the server. I suggest that you look at the implementation of [8] and create a user provisioning smart proxy similar to it. This proxy would expose the REST API that can be consumed by your connector or some other system and will be a part of IPA. Internally proxy will call JSON RPC against IPA and have all the busyness logic. So the recommendation is to make your connector lightwight and leverage a proxy that can be reused by other systems. We do not, however, have a good (read none) documentation of the interface, see related discussion in freeipa-users list [6]. And would appreciate if you start a wiki page to record it as you go so that we can start documenting it. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Sounds good to me, you should be able to find all documentation links in [7]. +1 Regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 31/01/2014 12:52, Dmitri Pal wrote: On 01/31/2014 05:03 AM, Martin Kosek wrote: On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. FreeIPA does not have (currently) not RESTful interface (though it is being partially designed in [8]). However it has a Kerberos-protected JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the server. I suggest that you look at the implementation of [8] and create a user provisioning smart proxy similar to it. This proxy would expose the REST API that can be consumed by your connector or some other system and will be a part of IPA. Internally proxy will call JSON RPC against IPA and have all the busyness logic. So the recommendation is to make your connector lightwight and leverage a proxy that can be reused by other systems. Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. We do not, however, have a good (read none) documentation of the interface, see related discussion in freeipa-users list [6]. And would appreciate if you start a wiki page to record it as you go so that we can start documenting it. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Sounds good to me, you should be able to find all documentation links in [7]. +1 [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 31.1.2014 14:17, Francesco Chicchiriccò wrote: On 31/01/2014 12:52, Dmitri Pal wrote: On 01/31/2014 05:03 AM, Martin Kosek wrote: On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. Actually, a RESTful interface (HTTP/JSON) would better suit our development model and deployment scenarios. FreeIPA does not have (currently) not RESTful interface (though it is being partially designed in [8]). However it has a Kerberos-protected JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the server. I suggest that you look at the implementation of [8] and create a user provisioning smart proxy similar to it. This proxy would expose the REST API that can be consumed by your connector or some other system and will be a part of IPA. Internally proxy will call JSON RPC against IPA and have all the busyness logic. So the recommendation is to make your connector lightwight and leverage a proxy that can be reused by other systems. Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. First patches with SmartProxy were posted to devel mailing list some time ago: https://www.redhat.com/archives/freeipa-devel/2014-January/msg00213.html We plan to integrate SmartProxy to the source main tree: See ticket https://fedorahosted.org/freeipa/ticket/4128 Petr^2 Spacek We do not, however, have a good (read none) documentation of the interface, see related discussion in freeipa-users list [6]. And would appreciate if you start a wiki page to record it as you go so that we can start documenting it. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. The idea is to deploy the latest FreeIPA version in our lab, start playing with it and come to this list for asking for more information we are not able to find in the wiki (just to avoid some graceful RTFMs...). Then, every time we get something working, we will also check here whether we are heading into the right direction, if we are missing some important points, etc. Does it sound? Sounds good to me, you should be able to find all documentation links in [7]. +1 [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote: Are you saying that we should split our development in two: (1) smart proxy, exposing the RESTful interface, developed on the basis of [8] (2) actual ConnId connector, dealing with the proxy above for implementing its own logic Correct If so, could you please point to the source code of [8]? Will then this eventually become part of FreeIPA? Quite soon. I would leave it to the team to suggest whether user and host provisioning smart proxies should be a same smart proxy or different so that they can be installed independently from each other but use the same approach. IMO haveing them separately but share the same code and approach will be more valuable to the project. But I am open to other ideas here. I am actually not sure if it is lightweight connector could actually be better than a loaded connector (e.g. without proxy), from a deployment point of view, unless you are saying either that (a) a smart proxy is already available that can be reused The idea can be reused as a starting point. IMO the easiest would be to look at the patches and use same machinery but implement different commands. or that (b) incorporating the smart proxy that we are going to develop into FreeIPA will easily happen. If done right: i.e. following process and style then yes. Please become familiar with the coding style [9] page on the wiki and other contributer guidelines [10]. Also having a design page created as a result of the preliminary investigation would go a long way towards acceptance and quality of the feature. We will gladly guide you on the way if you have specific questions [...] [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle [5] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html [7] http://www.freeipa.org/page/Documentation [8] http://www.freeipa.org/page/V3/Smart_Proxy [1] http://syncope.apache.org/ [9] http://www.freeipa.org/page/Coding_Style [10] http://www.freeipa.org/page/Contribute/Code -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
Hi all, I am PMC chair at Apache Syncope [1], an Open Source system for managing digital identities in enterprise environments, implemented in JEE technology and released under Apache 2.0 license. Apache Syncope can be classified as provisioning engine, and its duty can be summarized as keeping synchronized account data across different identity datastores (RDBMS, LDAP, Active Directory, ). For the actual communication with such external identity datastores, Apache Syncope relies upon ConnId [2], an Open Source fork of Sun Microsystem's Identity Connectors framework [3], left dead after Sun's acquisition by Oracle. I am also project owner at ConnId. My company Tirasa is about to start the development of a FreeIPA ConnId connector [4] that would allow the integration of FreeIPA into Apache Syncope-based IdM architectures. We are currently installing and testing FreeIPA in order to understand what is the better way to implement the communication with Syncope: do you have any suggestion about where to start from? Thanks. Best regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PPMC http://people.apache.org/~ilgrosso/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope
On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: Hi all, I am PMC chair at Apache Syncope [1], an Open Source system for managing digital identities in enterprise environments, implemented in JEE technology and released under Apache 2.0 license. Apache Syncope can be classified as provisioning engine, and its duty can be summarized as keeping synchronized account data across different identity datastores (RDBMS, LDAP, Active Directory, ). For the actual communication with such external identity datastores, Apache Syncope relies upon ConnId [2], an Open Source fork of Sun Microsystem's Identity Connectors framework [3], left dead after Sun's acquisition by Oracle. I am also project owner at ConnId. My company Tirasa is about to start the development of a FreeIPA ConnId connector [4] that would allow the integration of FreeIPA into Apache Syncope-based IdM architectures. We are currently installing and testing FreeIPA in order to understand what is the better way to implement the communication with Syncope: do you have any suggestion about where to start from? Thanks. Can you please list provisioning use cases that you want to support? Add user? Edit user? Reset password? Keep in mind that after password is set for a user user needs to change it on the first login. This is done to make sure that no one can impersonate user and password is not know outside the system. So this is one of the first hurdles you need to deal with, i.e. fire and forget and not try to use password for anything else in IPA use case. To call into IPA you can use ipa ... command line or use out API from python client. Since you are using Java calling into ipa command is probably the best option. In future we plan to allow insertion of the users via an ldap command https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for this spring. What are other use cases and workflows you have? Do you have a password reset self service? If you do it might be nice external addition to FreeIPA if it integrates into the UI seamlessly. Best regards. [1] http://syncope.apache.org/ [2] http://tirasa.github.io/ConnId/ [3] http://java.net/projects/identityconnectors/ [4] https://github.com/Tirasa/ConnIdFreeIPABundle -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel