[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Fri Jan 31 13:43:47 UTC 2014

On 31.1.2014 14:17, Francesco Chicchiriccò wrote:
> On 31/01/2014 12:52, Dmitri Pal wrote:
>> On 01/31/2014 05:03 AM, Martin Kosek wrote:
>>> On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote:
>>>> On 30/01/2014 19:25, Dmitri Pal wrote:
>>>>> On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote:
>>> ...
>>>>> To call into IPA you can use "ipa ..." command line or use out API from
>>>>> python client. Since you are using Java calling into "ipa" command is
>>>>> probably the best option.
>>>> Actually, a RESTful interface (HTTP/JSON) would better suit our development
>>>> model and deployment scenarios.
>>> FreeIPA does not have (currently) not RESTful interface (though it is being
>>> partially designed in [8]). However it has a Kerberos-protected
>>> JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the
>>> server.
>> I suggest that you look at the implementation of [8] and create a user
>> provisioning smart proxy similar to it.
>> This proxy would expose the REST API that can be consumed by your
>> connector or some other system and will be a part of IPA.
>> Internally proxy will call JSON RPC against IPA and have all the
>> "busyness logic".
>> So the recommendation is to make your connector lightwight and leverage
>> a proxy that can be reused by other systems.
>
> Are you saying that we should split our development in two:
>
> (1) smart proxy, exposing the RESTful interface, developed on the basis of [8]
>
> (2) actual ConnId connector, dealing with the proxy above for implementing its
> own logic
>
> If so, could you please point to the source code of [8]?
> Will then this eventually become part of FreeIPA?
>
> I am actually not sure if it is "lightweight" connector could actually be
> better than a "loaded" connector (e.g. without proxy), from a deployment point
> of view, unless you are saying either that (a) a smart proxy is already
> available that can be reused or that (b) incorporating the smart proxy that we
> are going to develop into FreeIPA will easily happen.

First patches with SmartProxy were posted to devel mailing list some time ago:
https://www.redhat.com/archives/freeipa-devel/2014-January/msg00213.html

We plan to integrate SmartProxy to the source main tree:
See ticket https://fedorahosted.org/freeipa/ticket/4128

Petr^2 Spacek

>>> We do not, however, have a good (read "none") documentation of the interface,
>>> see related discussion in freeipa-users list [6].
>> And would appreciate if you start a wiki page to record it as you go so
>> that we can start documenting it.
>>
>>>>> In future we plan to allow insertion of the users via an ldap command
>>>>> https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for
>>>>> this spring.
>>>>>
>>>>> What are other use cases and workflows you have?
>>>>> Do you have a password reset self service?
>>>>> If you do it might be nice external addition to FreeIPA if it integrates
>>>>> into the UI seamlessly.
>>>> The idea is to deploy the latest FreeIPA version in our lab, start playing
>>>> with
>>>> it and come to this list for asking for more information we are not able to
>>>> find in the wiki (just to avoid some graceful RTFMs...).
>>>> Then, every time we get something working, we will also check here whether we
>>>> are heading into the right direction, if we are missing some important
>>>> points,
>>>> etc.
>>>>
>>>> Does it sound?
>>> Sounds good to me, you should be able to find all documentation links in [7].
>> +1
>>
>>>>> [1] http://syncope.apache.org/
>>>>> [2] http://tirasa.github.io/ConnId/
>>>>> [3] http://java.net/projects/identityconnectors/
>>>>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>>>> [5]
>>>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html
>>>>
>>> [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
>>> [7] http://www.freeipa.org/page/Documentation
>>> [8] http://www.freeipa.org/page/V3/Smart_Proxy