<div dir="ltr">Hi Dimitri:<div><br></div><div style>Thank you for your helpful posts.</div><div style><br></div><div style>Do you know of any organization that provisions accounts and groups in real-time, from an external IdM system, to IPA, via CLI?</div> <div style><br></div><div style>We have an IdM system which will be reading data from HR, and making 'joiner, mover, leaver, decisions' - accounts are provisioned, deleted, groups changed etc based on the HR data.</div> <div style><br></div><div style>Is it feasible to consider the IdM system calling the CLI, via scripts, to create/delete accounts, manage groups, in near real-time?</div><div style><br></div><div style>I am gathering the details on options and present it to management.</div> <div style><br></div><div style>Thanks.</div><div style><br></div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Feb 1, 2013 at 4:42 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> On 02/01/2013 07:00 PM, It Meme wrote: <blockquote type="cite"> <div dir="ltr">Hi: <div><br> </div> <div>We would like to trigger creation of user accounts from another application - is this possible completely by LDAP calls? <br> </div> <div><br> </div> <div>Or using the APIs, the best way to proceed?</div> </div> </blockquote> <br></div></div> Actually using CLIs would be a preferred and supported way for the time being.<br> APIs would be the second. They are stable but not public. We have not published them because so far no one seriously considered calling IPA from another application. May be you are going to be the first. You can look at the extnsibility guide. Also we would be able to provide additional guidance but we are not ready to call it an API we not going to break so if you are fine with modifying your app if we change things it might be a good option for both of us to move to a more production ready API.<br> LDAP is not a preferred method for creation of the entries because we do more in the code than just calling LDAP modify.<br> We can help you to craft something but effectively you would have to duplicate our ipa user-add logic within your code. I suspect you do not want to go this path.<br> <br> Thanks<br> Dmitri<br> <blockquote type="cite"> <div dir="ltr"> <div><br> </div> <div>Thanks.</div> <div><br> </div> <div><br> </div> </div> <br> <fieldset></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre><span class="HOEnZb"><font color="#888888"> </font></span></blockquote><span class="HOEnZb"><font color="#888888"> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>