[Freeipa-users] inserting users via java

Timothy Worman lists at thetimmy.com
Thu Mar 26 19:19:18 UTC 2015 

On Mar 26, 2015, at 11:42 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
> On 03/26/2015 07:37 PM, Timothy Worman wrote:
>> Thanks everyone for the input.
>> 
>> I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
>> 
>> 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json.
>> 
>> This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily.
> 
> There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy:
> 
> ~~~
> from ipalib import api
> from ipalib import errors
> 
> api.bootstrap(context='cli')
> api.finalize()
> api.Backend.rpcclient.connect()
> api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
> ~~~
> 
> What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else?

Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea.

> I would be willing to test option 4 if that is where the future is headed.
> 
> Ok, just note that this still means LDAP interface a need to talk in LDAP protocol.

This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc.

Tim

> 
>> Tim
>> 
>>> On Mar 24, 2015, at 12:58 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>> 
>>> On 03/24/2015 01:29 AM, Dmitri Pal wrote:
>>>> On 03/23/2015 05:56 PM, Timothy Worman wrote:
>>>>> I have an existing web app built with java/WebObjects that currently handles
>>>>> some user/groups tasks with our current directory server (Open Directory). We
>>>>> are investigating a move to FreeIPA for our directory services.
>>>>> 
>>>>> Just in mucking around, I’ve found that if I try to insert a new user
>>>>> (inetOrgPerson) into into IPA’s implementation, the new user does not inherit
>>>>> all the object classes it should. It only inherits the ones leading to
>>>>> inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
>>>>> that user record does not show up in the Web GUI management tools.
>>>>> 
>>>>> Usually, I have focused on inetOrgPerson because that is where the bulk of
>>>>> the info about a user lives.
>>>>> 
>>>>> We have a SQL database that contains people in our organization (used by
>>>>> other services), so, we need to be able to leverage that and push users into
>>>>> IPA when appropriate and we have an existing app to do this.
>>>>> 
>>>>> Tim W
>>>>> 
>>>> You have several options:
>>>> 1) Call ipa CLI from your application - this is possible right now (but not
>>>> quite nice)
>>>> 2) Call ipa JSON API from your application - this is not supported but
>>>> possible. We use python API. You can do it in Java but it will be a lot of work.
>>>> 3) Use more elaborate LDAP add commands (with all the object classes needed for
>>>> users). Hard, but doable.
>>>> 4) Help us with testing the upcoming feature
>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
>>>> creating users via simple ldap command in a staging area and them moving them
>>>> to normal users area with automatic creation of missing attributes by means of
>>>> a cron job.
>>>> 
>>>> I would vote for 1) as a temp solution and 4) as a longer term one.
>>> 
>>> I do not fully agree with preferring 1) over 2). Java has libraries for
>>> JSON-RPC protocol, it should be pretty doable to write a call that calls the
>>> "user_add" command.
>>> 
>>> We are lacking proper documentation for the API, but what you can look in the
>>> sources or in the Web UI with and see the JSONs sent to the server, if you are
>>> interested in the real life examples.
>>> 
>>> Advantage of 2) over 1) is that you get the native objects (strings, arrays,
>>> numbers) and you do not need to parse it from CLI.
>>> 
>>> Martin
>> 
>

More information about the Freeipa-users mailing list