[Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA

Willem Bos whbos at xs4all.nl
Fri Aug 24 06:21:50 UTC 2012 

Hi Sylvian,

I'm not familiar with Tivoli but maybe it's able to generate HTTP
requests?  I recently did a proof-of-concept (with help from this
mailing list) to provision IPA with usernames/passwords. It's really a
re-write of a post from Adam Young
(http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/)
and info from The IPA API documented at
https://fedorahosted.org/freeipa/browser/API.txt

In this procedure you should replace curl with Tivoli.

# Add the (IPA) account you want to use for provisioning to the
passSyncManagerDNs 'group' so that users that are created through
provisioning do not have to change their passwords at first login. In
this example I used 'admin' but you probably whant a dedicated user :
cat > add_passsync_manager.ldif << EOF
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain
EOF

ldapmodify -x -D "cn=Directory Manager" -W -f add_passsync_manager.ldif

# Check :
ldapsearch -LLL -x -D "cn=Directory Manager" -W -b
"cn=ipa_pwd_extop,cn=plugins,cn=config" -s base passsyncmanagersdns
...
passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain

# The .json file is the 'add user' request that Tivoli should generate.:
cat > add_user_test.json << EOF
{
  "method":"user_add",
  "params":[
    [],
    {
      "uid":"test",
      "givenname":"test",
      "sn":"test",
      "userpassword":"test"
    }
  ]
}
EOF

# Tivoli needs to be able to pass Kerberos credentials with the HTTP
request (the '--negotiate -u : ` part) :
kinit admin
curl -v \
  --header referer:https://<IPA_HOST>/ipa \
  --header "Content-Type:application/json" \
  --header "Accept:applicaton/json"\
  --negotiate -u : \
  --delegation always \
  --cacert /etc/ipa/ca.crt  \
  --data @add_user_test.json \
  --request POST https://<IPA_HOST>/ipa/json
…
        "summary": "Added user \"test\"",
…

# Check. The user should not be asked to change his password... :
kinit test

Regards,
Willem.

On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers <sylvainangers at gmail.com> wrote:
> Hello all,
>
> Within our organisation, we use IBM Tivoli Identity Manager connectors to
> provision user/group onto all our different type of system. Currently there
> is as many connectors as we have unix box. As each unix box use local auth,
> we use ITIM to push user/group to local files...We are investigating IPA
> since a while, and now we wonder if a regular LDAP connector from IBM Tivoli
> Identity manager could be use to feed IPA so we would have one connector to
> manage our UNIX box via IPA. Our security folks would continue to have one
> single interface to do user/group provisionning.
>
> I found out that there is already an IITIM LDAP connector available, but Is
> there such thing as ldap interface to manage ipa?
> Or is the only way to get ITIM to manage IPA would be  via new connector
> build from remote ipa command lines?
>
> Thank you!
>
> --
> Sylvain Angers
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list