[Freeipa-users] Provision user accounts & groups from external IM

Wed Jun 6 12:34:12 UTC 2012

Hi Alexander,

I did some experimenting with the example at
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and
am now able to create a user using the following as input to curl (-d
@user_add.json) :

{
  "method":"user_add",
  "params":[
    [],
    {
      "uid":"test",
      "givenname":"test",
      "sn":"test",
      "userpassword":"test"
    }
  ]
}

I'm left with two questions :
- Is it possible to use a hashed password (as stored in the 'meta-IM') as a
value for userpassword? And if so, will this propagate to the created
Kerberos principal?
- After creation, I'm forced to change the password when running `kinit
test`. Is it possible to reset prevent the forced password change? As a
test, I tried to set the '-needchange' attribute using kadmin but that
returned "... Insufficient access while modifying..."

I grepped the mailing list archives / API.txt / source code / etc. for
clues but without success...

Regards,
Willem.

On Tue, Jun 5, 2012 at 12:51 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Tue, 05 Jun 2012, Willem Bos wrote:
>
>> Hi Alexander,
>>
>> Thanks for your quick response.
>>
>> Yes, the server on which the external IM environment is hosted does not
>> have the ipa utils available. As a matter of fact, the server might even
>> be
>> hosted off-site. We're just beginning to explore IM solutions for our
>> environment and the most likely architecture is a 'meta-IM' service that
>> provisions platform specific IM's like AD, Oracle's Internet Directory and
>> IPA. It will probably be a requirement that the meta-IM is to provision
>> IPA
>> directly (instead of Meta-IM -> AD -> IPA).
>>
>> The JASON interface looks promising, I will certainly try the example
>> provided. Would user_add be the suitable command to use? It's the obvious
>> candidate, but I just want to make sure...
>>
> Yes, user_add is the command.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120606/352de895/attachment.htm>