<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 02/08/2013 06:33 PM, It Meme wrote: <blockquote cite="mid:CA+h5jVz8FoON0=M+30DspEZHVwKWDRofQhNfP-3UOKhomKrbqg@mail.gmail.com" type="cite"> <div dir="ltr">Hi Dmitri: <div><br> </div> <div style="">Yes, we are evaluating ways of provisioning users and their group memberships for Joiner, Mover, Leaver (JML) events.</div> <div><br> </div> <div style="">We were thinking of your suggestion as an option and your reply was very helpful.</div> <div style=""><br> </div> <div style="">Our expected real-time scenarios is probably 5 mins latency.</div> <div style=""><br> </div> <div style="">Is it viable to explore provisioning accounts/group to the destination tree via LDAP calls and a subsequent cron job runs, identifies the newly provisioned accounts, and applies modifications to create the IPA-specific attributes? Or is the temp folder the only option?</div> </div> </blockquote> You can do either, I think it is more error prone for you to try to convert the user that is already inserted. You would to make sure that all the attributes are in place. You would have to decompose the logic of the IPA user add and effectively re-implement it.<br> <br> <br> Another approach would be to build a "simple" bridge that would take LDAP request and translate it into IPA JSON request. Such tool would be quite useful for us too. I am not sure how simple such thing would be in reality though.<br> <br> <blockquote cite="mid:CA+h5jVz8FoON0=M+30DspEZHVwKWDRofQhNfP-3UOKhomKrbqg@mail.gmail.com" type="cite"> <div dir="ltr"> <div style=""><br> </div> <div style=""><br> </div> <div style="">Thank you for all your great help.</div> <div style=""><br> </div> </div> <div class="gmail_extra"><br> <br> <div class="gmail_quote">On Fri, Feb 8, 2013 at 2:39 PM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div class="h5"> On 02/08/2013 05:29 PM, It Meme wrote: <blockquote type="cite"> <div dir="ltr">Hi: <div><br> </div> <div>Scenario:</div> <div><br> </div> <div>1) User is created via LDAP call to IPA (i.e.the 389 Directory Server)</div> <div><br> </div> <div>The above user will not have IPA-specific attributes.</div> <div><br> </div> <div>Can we use the Python Library, or CLI, to modify the account to IPA-ize it?</div> </div> </blockquote> <br> </div> </div> Is this an integration with the external provisioning system?<br> Do you need to do it in real time or in batches?<br> <br> A simple solution that comes to mind is:<br> to create users in a different sub tree in ipa temporarily<br> run a cron job to inspect this area and translate the data in this temp entry into the arguments of the CLI add user command and then clean this temp area.<br> ldap search > parse > ipa user-add<br> delete processed temp entries<br> <br> The job can run at the cadence you think is reasonable - 30 min may be?<br> <br> <blockquote type="cite"> <div dir="ltr"> <div><br> </div> <div>Thanks.</div> </div> <br> <fieldset></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> <span class="HOEnZb"><font color="#888888"> </font></span></blockquote> <span class="HOEnZb"><font color="#888888"> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>