[Freeipa-users] Python Client

Dmitri Pal dpal at redhat.com
Sun Feb 10 15:32:51 UTC 2013 

On 02/09/2013 11:53 AM, John Dennis wrote:
> On 02/08/2013 05:29 PM, It Meme wrote:
>> Hi:
>>
>> Scenario:
>>
>> 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server)
>>
>> The above user will not have IPA-specific attributes.
>>
>> Can we use the Python Library, or CLI, to modify the account to
>> IPA-ize it?
>
> You're really better off using the IPA API directly rather than trying
> to bypass it. Why? Because we implement additional logic inside the
> commands. If you could achieve everything IPA does by just modifying
> an LDAP server there wouldn't be a need for IPA. A good example of
> this is group membership, some of that logic is handled directly by a
> plugin to the 389 DS, but a large part of it is implemented in the IPA
> commands that manage users and groups. You really don't want to bypass
> it.
>
> You have a number of options on how to call the IPA commands:
>
> 1) the ipa command line client
>
> 2) sending the command formatted in JSON to the server
>
> 3) sending the command formatted in XML-RPC to the server
>
> 4) calling the command from your own python code
>
> 5) using the web GUI
>
> It's really not hard to call the IPA command line client from a
> program, typically this is done via a "system" command of which there
> are a number of variants.
>
> The following thread has a discussion of how to invoke one of our
> commands from Python code, this particular email response from Martin
> shows how it can be done in in about half a dozen lines of code.
>
> https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html
>
> What I'm not understanding why you're avoiding using the commands we
> provide. If you're not familiar with how to call another
> program/process we can help you or just google it. Or is the problem
> your existing management system does not provide you with any "hooks"
> to execute code when an action occurs. But from everything you've said
> so far you imply it does provide such hooks. Perhaps if you could be
> more specific we could be more helpful.
>
It seems that the management system in question can insert an entry into
LDAP but can't do the "generic" hook.
I bet this is the issue here.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list