[Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA

Dmitri Pal dpal at redhat.com
Mon Sep 10 13:06:15 UTC 2012 

On 08/24/2012 02:21 AM, Willem Bos wrote:
> Hi Sylvian,
>
> I'm not familiar with Tivoli but maybe it's able to generate HTTP
> requests?  I recently did a proof-of-concept (with help from this
> mailing list) to provision IPA with usernames/passwords. It's really a
> re-write of a post from Adam Young
> (http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/)
> and info from The IPA API documented at
> https://fedorahosted.org/freeipa/browser/API.txt
>
> In this procedure you should replace curl with Tivoli.
>
> # Add the (IPA) account you want to use for provisioning to the
> passSyncManagerDNs 'group' so that users that are created through
> provisioning do not have to change their passwords at first login. In
> this example I used 'admin' but you probably whant a dedicated user :
> cat > add_passsync_manager.ldif << EOF
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain
> EOF
>
> ldapmodify -x -D "cn=Directory Manager" -W -f add_passsync_manager.ldif
>
> # Check :
> ldapsearch -LLL -x -D "cn=Directory Manager" -W -b
> "cn=ipa_pwd_extop,cn=plugins,cn=config" -s base passsyncmanagersdns
> ...
> passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain
>
> # The .json file is the 'add user' request that Tivoli should generate.:
> cat > add_user_test.json << EOF
> {
>   "method":"user_add",
>   "params":[
>     [],
>     {
>       "uid":"test",
>       "givenname":"test",
>       "sn":"test",
>       "userpassword":"test"
>     }
>   ]
> }
> EOF
>
> # Tivoli needs to be able to pass Kerberos credentials with the HTTP
> request (the '--negotiate -u : ` part) :
> kinit admin
> curl -v \
>   --header referer:https://<IPA_HOST>/ipa \
>   --header "Content-Type:application/json" \
>   --header "Accept:applicaton/json"\
>   --negotiate -u : \
>   --delegation always \
>   --cacert /etc/ipa/ca.crt  \
>   --data @add_user_test.json \
>   --request POST https://<IPA_HOST>/ipa/json
>>         "summary": "Added user \"test\"",
>>
> # Check. The user should not be asked to change his password... :
> kinit test
>
> Regards,
> Willem.

Sylvain,

I am very interested in finding out what did you decide to do to
implement this.
IMO it would be very beneficial to have a supported way for Tivoly to
connect to IPA and provision users.
Doing it via IPA interface as mentioned above is the right way to do it.
Do you have any pointer to IBM Tivoly documentation that comments on how
to create special connectors?
I would like to include this as an item for a long term IPA roadmap.

If you or anyone else have some information on the matter please help us
here.
I will open a ticket and capture all the recommendations there.

Thanks
Dmitri

> On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers <sylvainangers at gmail.com> wrote:
>> Hello all,
>>
>> Within our organisation, we use IBM Tivoli Identity Manager connectors to
>> provision user/group onto all our different type of system. Currently there
>> is as many connectors as we have unix box. As each unix box use local auth,
>> we use ITIM to push user/group to local files...We are investigating IPA
>> since a while, and now we wonder if a regular LDAP connector from IBM Tivoli
>> Identity manager could be use to feed IPA so we would have one connector to
>> manage our UNIX box via IPA. Our security folks would continue to have one
>> single interface to do user/group provisionning.
>>
>> I found out that there is already an IITIM LDAP connector available, but Is
>> there such thing as ldap interface to manage ipa?
>> Or is the only way to get ITIM to manage IPA would be  via new connector
>> build from remote ipa command lines?
>>
>> Thank you!
>>
>> --
>> Sylvain Angers
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list