[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Mon Mar 10 19:14:45 UTC 2014

On 03/10/2014 07:17 PM, Dmitri Pal wrote:
> On 03/10/2014 08:24 AM, Petr Viktorin wrote:
>> On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote:
>>> Hi all,
>>>
>>>
>>> Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò
>>> <ilgrosso at apache.org <mailto:ilgrosso at apache.org>> ha scritto:
>>>
>>>> On 31/01/2014 18:57, Dmitri Pal wrote:
>>>>> On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote:
[...]
>>>>>> I am actually not sure if it is "lightweight" connector could
>>>>>> actually
>>>>>> be better than a "loaded" connector (e.g. without proxy), from a
>>>>>> deployment point of view, unless you are saying either that (a) a
>>>>>> smart proxy is already available that can be reused
>>>>> The idea can be reused as a starting point. IMO the easiest would
>>>>> be to
>>>>> look at the patches and use same machinery but implement different
>>>>> commands.
>>>>>
>>>>>> or that (b) incorporating the smart proxy that we are going to
>>>>>> develop
>>>>>> into FreeIPA will easily happen.

^ quote left here deliberately

[...]
>>>
>>> We start to implementing a FreeIPA ConnId connector for Apache Syncope.
>>> We have to implement all identity operations defined by the ConnId
>>> framework.
>>> I would like to know the implementation status of the Smart/Proxy and if
>>> we can use it to all the identity operations.
>>
>> I'm reviewing the Foreman Smart proxy patches now. They're not in the
>> FreeIPA repository yet. However the remaining issues were with
>> packaging, code organization, naming.
>>
>> The Smart Proxy is now specific to Foreman provisioning; it is not a
>> full REST interface so it will probably not support all operations you
>> need.
>>
>> For a full REST interface, patches are welcome but the core FreeIPA
>> team has other priorities at the moment.  The RFE ticket is here:
>> https://fedorahosted.org/freeipa/ticket/4168.
>
> For user provisioning you do not need a full REST api. You need to have
> a similar proxy but just for user related operations.
> So the smart proxy can be used as a model to do what you need to
> implement for Syncope integration.

You'd be building two bridges (IPA--REST & REST--ConnID) when you could 
build just one. Unless you already have a suitable generic REST 
connector already, I don't think it's your best option. From this thread 
it seems to me that JSON-RPC--ConnID would not require significantly 
more work than just the REST--ConnID part.

> What are the operations you need to implement? Can you list them?

They were listed earlier in the thread, and [5].

>>>> Otherwise, we will instead specialize the CMD connector [12] to
>>>> feature the FreeIPA command-line interface (as suggested at the
>>>> beginning of this thread). There will be potentially need, in this
>>>> case, to include the ConnId connector server into the Syncope
>>>> deployment architecture, but this is a supported pattern.
>>
>> Have you looked at JSON-RPC interface mentioned earlier in this
>> thread, and [6]? It might be cleaner to use that than the command-line
>> interface.
>>
>>
>>
>>> [1] http://syncope.apache.org/
>>> [2] http://tirasa.github.io/ConnId/
>>> [3] http://java.net/projects/identityconnectors/
>>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>>> [5]
>>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html
>>>
>>> [6]
>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
>>> [7] http://www.freeipa.org/page/Documentation
>>> [8] http://www.freeipa.org/page/V3/Smart_Proxy

-- 
Petr³