[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Francesco Chicchiriccò ilgrosso at apache.org
Fri Jan 31 13:17:05 UTC 2014 

On 31/01/2014 12:52, Dmitri Pal wrote:
> On 01/31/2014 05:03 AM, Martin Kosek wrote:
>> On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote:
>>> On 30/01/2014 19:25, Dmitri Pal wrote:
>>>> On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote:
>> ...
>>>> To call into IPA you can use "ipa ..." command line or use out API from
>>>> python client. Since you are using Java calling into "ipa" command is
>>>> probably the best option.
>>> Actually, a RESTful interface (HTTP/JSON) would better suit our development
>>> model and deployment scenarios.
>> FreeIPA does not have (currently) not RESTful interface (though it is being
>> partially designed in [8]). However it has a Kerberos-protected
>> JSON-RPC/XML-RPC interface used by clients or Web UI to communicate with the
>> server.
> I suggest that you look at the implementation of [8] and create a user
> provisioning smart proxy similar to it.
> This proxy would expose the REST API that can be consumed by your
> connector or some other system and will be a part of IPA.
> Internally proxy will call JSON RPC against IPA and have all the
> "busyness logic".
> So the recommendation is to make your connector lightwight and leverage
> a proxy that can be reused by other systems.

Are you saying that we should split our development in two:

(1) smart proxy, exposing the RESTful interface, developed on the basis 
of [8]

(2) actual ConnId connector, dealing with the proxy above for 
implementing its own logic

If so, could you please point to the source code of [8]?
Will then this eventually become part of FreeIPA?

I am actually not sure if it is "lightweight" connector could actually 
be better than a "loaded" connector (e.g. without proxy), from a 
deployment point of view, unless you are saying either that (a) a smart 
proxy is already available that can be reused or that (b) incorporating 
the smart proxy that we are going to develop into FreeIPA will easily 
happen.

>> We do not, however, have a good (read "none") documentation of the interface,
>> see related discussion in freeipa-users list [6].
> And would appreciate if you start a wiki page to record it as you go so
> that we can start documenting it.
>
>>>> In future we plan to allow insertion of the users via an ldap command
>>>> https://fedorahosted.org/freeipa/ticket/3911 it is on the roadmap for
>>>> this spring.
>>>>
>>>> What are other use cases and workflows you have?
>>>> Do you have a password reset self service?
>>>> If you do it might be nice external addition to FreeIPA if it integrates
>>>> into the UI seamlessly.
>>> The idea is to deploy the latest FreeIPA version in our lab, start playing with
>>> it and come to this list for asking for more information we are not able to
>>> find in the wiki (just to avoid some graceful RTFMs...).
>>> Then, every time we get something working, we will also check here whether we
>>> are heading into the right direction, if we are missing some important points,
>>> etc.
>>>
>>> Does it sound?
>> Sounds good to me, you should be able to find all documentation links in [7].
> +1
>
>>>> [1] http://syncope.apache.org/
>>>> [2] http://tirasa.github.io/ConnId/
>>>> [3] http://java.net/projects/identityconnectors/
>>>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>>> [5]
>>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html
>> [6] https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html
>> [7] http://www.freeipa.org/page/Documentation
>> [8] http://www.freeipa.org/page/V3/Smart_Proxy

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PPMC
http://people.apache.org/~ilgrosso/

More information about the Freeipa-devel mailing list