Re: [Freeipa-users] inserting users via java
On 05/28/2015 11:00 PM, Timothy Worman wrote: On May 28, 2015, at 12:26 PM, Martin Kosek mko...@redhat.com wrote: On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release? Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel? Hello Timothy, I am sorry we did not update this thread, but in the end we decided not to invest in the REST interface ourselves at this moment (read - FreeIPA 4.2), but rather work on stabilizing and documenting current JSON-RPC API we have as we believe the API is easily usable from major languages even though it is not RESTy. To prove our point, we need good documentation of it and examples for the major languages. This is the proposal of what shall be done in FreeIPA 4.2 that I sent to freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2015-April/msg00061.html I hope the way we go for the next release is acceptable for you. In the mean time, if you have specific questions on calling JSON from your programs, both freeipa-users and freeipa-devel may be suitable, depending on how deep you want to go in the code... HTH, Martin Thanks Martin: OK, just to verify - The staging approach (Dmitri spoke about) of inserting records into a staged user schema and having them inserted via a cron job is now off for near releases. I am anxious to see that happen. Ah, looks I misread the thread branches about what was actually promised. The FreeIPA User Life Cycle feature (staging users can be added via LDAP and later activated) *is* going to FreeIPA 4.2 and is actually mostly implemented, it will be part of FreeIPA 4.2 Alpha release, so you can try it out then. This is the upstream tracker: https://fedorahosted.org/freeipa/ticket/3813 But, I am working on a java http client (apache httpclient + jaas/Krb5LoginModule) that posts json to the ipaserver. However, I am having some difficulty with kerberos negotiation and I should probably start a separate thread on that - either here or on freeipa-devel. Ok. Feel free to ask. I do not expect too big problems with JSONKerberos. AFAIK, you do not need to even need to use JSON calls and Kerberos at the same time. With FreeIPA, you can simply login to the API via HTTPS+SPNEGO, get a session code and use that for HTTPS JSON API calls (this helps if a JSON library cannot do Kerberos auth out of the box). Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On May 28, 2015, at 12:26 PM, Martin Kosek mko...@redhat.com wrote: On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release? Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel? Hello Timothy, I am sorry we did not update this thread, but in the end we decided not to invest in the REST interface ourselves at this moment (read - FreeIPA 4.2), but rather work on stabilizing and documenting current JSON-RPC API we have as we believe the API is easily usable from major languages even though it is not RESTy. To prove our point, we need good documentation of it and examples for the major languages. This is the proposal of what shall be done in FreeIPA 4.2 that I sent to freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2015-April/msg00061.html I hope the way we go for the next release is acceptable for you. In the mean time, if you have specific questions on calling JSON from your programs, both freeipa-users and freeipa-devel may be suitable, depending on how deep you want to go in the code... HTH, Martin Thanks Martin: OK, just to verify - The staging approach (Dmitri spoke about) of inserting records into a staged user schema and having them inserted via a cron job is now off for near releases. I am anxious to see that happen. But, I am working on a java http client (apache httpclient + jaas/Krb5LoginModule) that posts json to the ipaserver. However, I am having some difficulty with kerberos negotiation and I should probably start a separate thread on that - either here or on freeipa-devel. Tim Worman UCLA GSEIS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release? Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel? Tim Tim Tim On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote: On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release? Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel? Hello Timothy, I am sorry we did not update this thread, but in the end we decided not to invest in the REST interface ourselves at this moment (read - FreeIPA 4.2), but rather work on stabilizing and documenting current JSON-RPC API we have as we believe the API is easily usable from major languages even though it is not RESTy. To prove our point, we need good documentation of it and examples for the major languages. This is the proposal of what shall be done in FreeIPA 4.2 that I sent to freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2015-April/msg00061.html I hope the way we go for the next release is acceptable for you. In the mean time, if you have specific questions on calling JSON from your programs, both freeipa-users and freeipa-devel may be suitable, depending on how deep you want to go in the code... HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. Tim Tim On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote: On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. Tim On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote: On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy: ~~~ from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.rpcclient.connect() api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User') ~~~ What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else? Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea. I would be willing to test option 4 if that is where the future is headed. Ok, just note that this still means LDAP interface a need to talk in LDAP protocol. This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc. So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release? Tim Tim On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote: On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me. 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. I would be willing to test option 4 if that is where the future is headed. Tim On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote: On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On 03/24/2015 01:29 AM, Dmitri Pal wrote: On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. I do not fully agree with preferring 1) over 2). Java has libraries for JSON-RPC protocol, it should be pretty doable to write a call that calls the user_add command. We are lacking proper documentation for the API, but what you can look in the sources or in the Web UI with and see the JSONs sent to the server, if you are interested in the real life examples. Advantage of 2) over 1) is that you get the native objects (strings, arrays, numbers) and you do not need to parse it from CLI. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] inserting users via java
I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] inserting users via java
On 03/23/2015 05:56 PM, Timothy Worman wrote: I have an existing web app built with java/WebObjects that currently handles some user/groups tasks with our current directory server (Open Directory). We are investigating a move to FreeIPA for our directory services. Just in mucking around, I’ve found that if I try to insert a new user (inetOrgPerson) into into IPA’s implementation, the new user does not inherit all the object classes it should. It only inherits the ones leading to inetOrgPerson. This does result in a successful inetOrgPerson insertion, but that user record does not show up in the Web GUI management tools. Usually, I have focused on inetOrgPerson because that is where the bulk of the info about a user lives. We have a SQL database that contains people in our organization (used by other services), so, we need to be able to leverage that and push users into IPA when appropriate and we have an existing app to do this. Tim W You have several options: 1) Call ipa CLI from your application - this is possible right now (but not quite nice) 2) Call ipa JSON API from your application - this is not supported but possible. We use python API. You can do it in Java but it will be a lot of work. 3) Use more elaborate LDAP add commands (with all the object classes needed for users). Hard, but doable. 4) Help us with testing the upcoming feature http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow creating users via simple ldap command in a staging area and them moving them to normal users area with automatic creation of missing attributes by means of a cron job. I would vote for 1) as a temp solution and 4) as a longer term one. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project