[Freeipa-users] inserting users via java

[Martin Kosek]

On 03/26/2015 07:37 PM, Timothy Worman wrote:
> Thanks everyone for the input.
>
> I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
>
> 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json.
>
> This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily.

There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as 
an easy way to manipulate the entries (besides CLI and Web UI). In Python, 
adding new user is that easy:

~~~
from ipalib import api
from ipalib import errors

api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
~~~

What way would you suggest to make it more conforming to your use case? Are you 
suggesting REST interface doing the above or something else?

> I would be willing to test option 4 if that is where the future is headed.

Ok, just note that this still means LDAP interface a need to talk in LDAP protocol.

> Tim
>
>> On Mar 24, 2015, at 12:58 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>> On 03/24/2015 01:29 AM, Dmitri Pal wrote:
>>> On 03/23/2015 05:56 PM, Timothy Worman wrote:
>>>> I have an existing web app built with java/WebObjects that currently handles
>>>> some user/groups tasks with our current directory server (Open Directory). We
>>>> are investigating a move to FreeIPA for our directory services.
>>>>
>>>> Just in mucking around, I’ve found that if I try to insert a new user
>>>> (inetOrgPerson) into into IPA’s implementation, the new user does not inherit
>>>> all the object classes it should. It only inherits the ones leading to
>>>> inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
>>>> that user record does not show up in the Web GUI management tools.
>>>>
>>>> Usually, I have focused on inetOrgPerson because that is where the bulk of
>>>> the info about a user lives.
>>>>
>>>> We have a SQL database that contains people in our organization (used by
>>>> other services), so, we need to be able to leverage that and push users into
>>>> IPA when appropriate and we have an existing app to do this.
>>>>
>>>> Tim W
>>>>
>>> You have several options:
>>> 1) Call ipa CLI from your application - this is possible right now (but not
>>> quite nice)
>>> 2) Call ipa JSON API from your application - this is not supported but
>>> possible. We use python API. You can do it in Java but it will be a lot of work.
>>> 3) Use more elaborate LDAP add commands (with all the object classes needed for
>>> users). Hard, but doable.
>>> 4) Help us with testing the upcoming feature
>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
>>> creating users via simple ldap command in a staging area and them moving them
>>> to normal users area with automatic creation of missing attributes by means of
>>> a cron job.
>>>
>>> I would vote for 1) as a temp solution and 4) as a longer term one.
>>
>> I do not fully agree with preferring 1) over 2). Java has libraries for
>> JSON-RPC protocol, it should be pretty doable to write a call that calls the
>> "user_add" command.
>>
>> We are lacking proper documentation for the API, but what you can look in the
>> sources or in the Web UI with and see the JSONs sent to the server, if you are
>> interested in the real life examples.
>>
>> Advantage of 2) over 1) is that you get the native objects (strings, arrays,
>> numbers) and you do not need to parse it from CLI.
>>
>> Martin
>