[Freeipa-users] inserting users via java
Martin Kosek
mkosek at redhat.com
Fri May 29 06:39:23 UTC 2015
On 05/28/2015 11:00 PM, Timothy Worman wrote:
> On May 28, 2015, at 12:26 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>> On 05/28/2015 07:10 PM, Timothy Worman wrote:
>>>> On Mar 26, 2015, at 3:08 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>> On 03/26/2015 03:19 PM, Timothy Worman wrote:
>>>>> On Mar 26, 2015, at 11:42 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>> On 03/26/2015 07:37 PM, Timothy Worman wrote:
>>>>>>> Thanks everyone for the input.
>>>>>>>
>>>>>>> I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
>>>>>>>
>>>>>>> 2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json.
>>>>>>>
>>>>>>> This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily.
>>>>>> There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as an easy way to manipulate the entries (besides CLI and Web UI). In Python, adding new user is that easy:
>>>>>>
>>>>>> ~~~
>>>>>> from ipalib import api
>>>>>> from ipalib import errors
>>>>>>
>>>>>> api.bootstrap(context='cli')
>>>>>> api.finalize()
>>>>>> api.Backend.rpcclient.connect()
>>>>>> api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
>>>>>> ~~~
>>>>>>
>>>>>> What way would you suggest to make it more conforming to your use case? Are you suggesting REST interface doing the above or something else?
>>>>> Oh, I think the JSON option is the best one currently available. But I do think REST-ful service would be a good idea.
>>>>>
>>>>>> I would be willing to test option 4 if that is where the future is headed.
>>>>>>
>>>>>> Ok, just note that this still means LDAP interface a need to talk in LDAP protocol.
>>>>> This may not be a bad thing if you’re using an ORM like Webobjects/EOF or Cayenne since you can model those ldap entities and simply set their attributes and insert. At a lower level JNDI will handle it. I personally prefer this over building strings, sending commands, etc.
>>>>
>>>> So this will be ready upstream within several weeks or so. Would you test it once it it is available before the official upstream release?
>>>
>>> Hi Dmitri - following up on this to see how progress is going on this project. I am definitely still interested in testing this. In the meantime, I have been pursuing http client calls posting json. And I have some questions I need to pursue on that as well. Should I take this to freeipa-devel?
>>
>> Hello Timothy,
>>
>> I am sorry we did not update this thread, but in the end we decided not to invest in the REST interface ourselves at this moment (read - FreeIPA 4.2), but rather work on stabilizing and documenting current JSON-RPC API we have as we believe the API is easily usable from major languages even though it is not RESTy. To prove our point, we need good documentation of it and examples for the major languages.
>>
>> This is the proposal of what shall be done in FreeIPA 4.2 that I sent to freeipa-devel:
>> http://www.redhat.com/archives/freeipa-devel/2015-April/msg00061.html
>>
>> I hope the way we go for the next release is acceptable for you. In the mean time, if you have specific questions on calling JSON from your programs, both freeipa-users and freeipa-devel may be suitable, depending on how deep you want to go in the code...
>>
>> HTH,
>> Martin
>
> Thanks Martin:
>
> OK, just to verify - The staging approach (Dmitri spoke about) of inserting records into a staged user schema and having them inserted via a cron job is now off for near releases. I am anxious to see that happen.
Ah, looks I misread the thread branches about what was actually promised. The
FreeIPA User Life Cycle feature (staging users can be added via LDAP and later
activated) *is* going to FreeIPA 4.2 and is actually mostly implemented, it
will be part of FreeIPA 4.2 Alpha release, so you can try it out then.
This is the upstream tracker:
https://fedorahosted.org/freeipa/ticket/3813
> But, I am working on a java http client (apache httpclient + jaas/Krb5LoginModule) that posts json to the ipaserver. However, I am having some difficulty with kerberos negotiation and I should probably start a separate thread on that - either here or on freeipa-devel.
Ok. Feel free to ask. I do not expect too big problems with JSON&Kerberos.
AFAIK, you do not need to even need to use JSON calls and Kerberos at the same
time. With FreeIPA, you can simply login to the API via HTTPS+SPNEGO, get a
session code and use that for HTTPS JSON API calls (this helps if a JSON
library cannot do Kerberos auth out of the box).
Martin
More information about the Freeipa-users
mailing list