[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Dmitri Pal dpal at redhat.com
Mon Mar 10 18:17:07 UTC 2014 

On 03/10/2014 08:24 AM, Petr Viktorin wrote:
> On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote:
>> Hi all,
>>
>>
>> Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò
>> <ilgrosso at apache.org <mailto:ilgrosso at apache.org>> ha scritto:
>>
>>> On 31/01/2014 18:57, Dmitri Pal wrote:
>>>> On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote:
>>>>> Are you saying that we should split our development in two:
>>>>>
>>>>> (1) smart proxy, exposing the RESTful interface, developed on the
>>>>> basis of [8]
>>>>>
>>>>> (2) actual ConnId connector, dealing with the proxy above for
>>>>> implementing its own logic
>>>> Correct
>>>>
>>>>> If so, could you please point to the source code of [8]?
>>>>> Will then this eventually become part of FreeIPA?
>>>> Quite soon. I would leave it to the team to suggest whether user and
>>>> host provisioning smart proxies should be a same smart proxy or
>>>> different so that they can be installed independently from each other
>>>> but use the same approach. IMO haveing them separately but share the
>>>> same code and approach will be more valuable to the project. But I am
>>>> open to other ideas here.
>>>>
>>>>> I am actually not sure if it is "lightweight" connector could 
>>>>> actually
>>>>> be better than a "loaded" connector (e.g. without proxy), from a
>>>>> deployment point of view, unless you are saying either that (a) a
>>>>> smart proxy is already available that can be reused
>>>> The idea can be reused as a starting point. IMO the easiest would 
>>>> be to
>>>> look at the patches and use same machinery but implement different
>>>> commands.
>>>>
>>>>> or that (b) incorporating the smart proxy that we are going to 
>>>>> develop
>>>>> into FreeIPA will easily happen.
>>>> If done right: i.e. following process and style then yes.
>>>>
>>>> Please become familiar with the coding style [9] page on the wiki and
>>>> other contributer guidelines [10].
>>>> Also having a design page created as a result of the preliminary
>>>> investigation would go a long way towards acceptance and quality of 
>>>> the
>>>> feature.
>>>>
>>>> We will gladly guide you on the way if you have specific questions
>>>>
>>>> [...]
>>>
>>> Ok then, we'll do it as follows.
>>>
>>> We are currently experimenting with FreeIPA, to get familiar with
>>> technology and options; once we will be confident enough to start the
>>> actual work on the connector, we will check the status of the smart
>>> proxy patches from [11].
>>>
>>> If the implementation status will be close to be ready and about to be
>>> included in the official distribution, we will follow the suggestions
>>> above and develop a REST-based connector.
>>
>> We start to implementing a FreeIPA ConnId connector for Apache Syncope.
>> We have to implement all identity operations defined by the ConnId
>> framework.
>> I would like to know the implementation status of the Smart/Proxy and if
>> we can use it to all the identity operations.
>
> I'm reviewing the Foreman Smart proxy patches now. They're not in the 
> FreeIPA repository yet. However the remaining issues were with 
> packaging, code organization, naming.
>
> The Smart Proxy is now specific to Foreman provisioning; it is not a 
> full REST interface so it will probably not support all operations you 
> need.
>
> For a full REST interface, patches are welcome but the core FreeIPA 
> team has other priorities at the moment.  The RFE ticket is here: 
> https://fedorahosted.org/freeipa/ticket/4168.

For user provisioning you do not need a full REST api. You need to have 
a similar proxy but just for user related operations.
So the smart proxy can be used as a model to do what you need to 
implement for Syncope integration.
What are the operations you need to implement? Can you list them?


>
>>> Otherwise, we will instead specialize the CMD connector [12] to
>>> feature the FreeIPA command-line interface (as suggested at the
>>> beginning of this thread). There will be potentially need, in this
>>> case, to include the ConnId connector server into the Syncope
>>> deployment architecture, but this is a supported pattern.
>
> Have you looked at JSON-RPC interface mentioned earlier in this 
> thread, and [6]? It might be cleaner to use that than the command-line 
> interface.
>
>
>
>> [1] http://syncope.apache.org/
>> [2] http://tirasa.github.io/ConnId/
>> [3] http://java.net/projects/identityconnectors/
>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>> [5] 
>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html
>> [6] 
>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
>> [7] http://www.freeipa.org/page/Documentation
>> [8] http://www.freeipa.org/page/V3/Smart_Proxy
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list