[Freeipa-users] Python Client

Dmitri Pal dpal at redhat.com
Fri Feb 8 23:57:26 UTC 2013


On 02/08/2013 06:33 PM, It Meme wrote:
> Hi Dmitri:
>
> Yes, we are evaluating ways of provisioning users and their group
> memberships for Joiner, Mover, Leaver (JML) events.
>
> We were thinking of your suggestion as an option and your reply was
> very helpful.
>
> Our expected real-time scenarios is probably 5 mins latency.
>
> Is it viable to explore provisioning accounts/group to the destination
> tree via LDAP calls and a subsequent cron job runs, identifies the
> newly provisioned accounts, and applies modifications to create the
> IPA-specific attributes? Or is the temp folder the only option?
You can do either, I think it is more error prone for you to try to
convert the user that is already inserted. You would to make sure that
all the attributes are in place. You would have to decompose the logic
of the IPA user add and effectively re-implement it.


Another approach would be to build a "simple" bridge that would take
LDAP request and translate it into IPA JSON request. Such tool would be
quite useful for us too. I am not sure how simple such thing would be in
reality though.

>
>
> Thank you for all your great help.
>
>
>
> On Fri, Feb 8, 2013 at 2:39 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 02/08/2013 05:29 PM, It Meme wrote:
>>     Hi:
>>
>>     Scenario:
>>
>>     1) User is created via LDAP call to IPA (i.e.the 389 Directory
>>     Server)
>>
>>     The above user will not have IPA-specific attributes.
>>
>>     Can we use the Python Library, or CLI, to modify the account to
>>     IPA-ize it?
>
>     Is this an integration with the external provisioning system?
>     Do you need to do it in real time or in batches?
>
>     A simple solution that comes to mind is:
>     to create users in a different sub tree in ipa temporarily
>     run a cron job to inspect this area and translate the data in this
>     temp entry into the arguments of the CLI add user command and then
>     clean this temp area.
>     ldap search > parse > ipa user-add
>     delete processed temp entries
>
>     The job can run at the cadence you think is reasonable - 30 min
>     may be?
>
>>
>>     Thanks.
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130208/f165ce1c/attachment.htm>


More information about the Freeipa-users mailing list