[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Dmitri Pal dpal at redhat.com
Fri Jan 31 11:52:46 UTC 2014 

On 01/31/2014 05:03 AM, Martin Kosek wrote:
> On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote:
>> On 30/01/2014 19:25, Dmitri Pal wrote:
>>> On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote:
> ...
>>> To call into IPA you can use "ipa ..." command line or use out API from
>>> python client. Since you are using Java calling into "ipa" command is
>>> probably the best option.
>> Actually, a RESTful interface (HTTP/JSON) would better suit our development
>> model and deployment scenarios.
> FreeIPA does not have (currently) not RESTful interface (though it is being
> partially designed in [8]). However it has a Kerberos-protected
> JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the
> server.

I suggest that you look at the implementation of [8] and create a user
provisioning smart proxy similar to it.
This proxy would expose the REST API that can be consumed by your
connector or some other system and will be a part of IPA.
Internally proxy will call JSON RPC against IPA and have all the
"busyness logic".
So the recommendation is to make your connector lightwight and leverage
a proxy that can be reused by other systems.

> We do not, however, have a good (read "none") documentation of the interface,
> see related discussion in freeipa-users list [6].

And would appreciate if you start a wiki page to record it as you go so
that we can start documenting it.

>
>>> In future we plan to allow insertion of the users via an ldap command
>>> https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for
>>> this spring.
>>>
>>> What are other use cases and workflows you have?
>>> Do you have a password reset self service?
>>> If you do it might be nice external addition to FreeIPA if it integrates
>>> into the UI seamlessly.
>> The idea is to deploy the latest FreeIPA version in our lab, start playing with
>> it and come to this list for asking for more information we are not able to
>> find in the wiki (just to avoid some graceful RTFMs...).
>> Then, every time we get something working, we will also check here whether we
>> are heading into the right direction, if we are missing some important points,
>> etc.
>>
>> Does it sound?
> Sounds good to me, you should be able to find all documentation links in [7].

+1

>
>> Regards.
>>
>>> [1] http://syncope.apache.org/
>>> [2] http://tirasa.github.io/ConnId/
>>> [3] http://java.net/projects/identityconnectors/
>>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>> [5]
>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html
> [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
> [7] http://www.freeipa.org/page/Documentation
> [8] http://www.freeipa.org/page/V3/Smart_Proxy
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list