[Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

Massimiliano Perrone massimiliano.perrone at tirasa.net
Tue Mar 11 15:29:13 UTC 2014 

Hi guys,
I hope to explain in a few words what we are doing with ConnID and IPA. 
Comments in-line.

On 03/10/2014 10:57 PM, Dmitri Pal wrote:
> On 03/10/2014 03:14 PM, Petr Viktorin wrote:
>> On 03/10/2014 07:17 PM, Dmitri Pal wrote:
>>> On 03/10/2014 08:24 AM, Petr Viktorin wrote:
>>>> On 03/07/2014 04:39 PM, Marco Di Sabatino Di Diodoro wrote:
>>>>> Hi all,
>>>>>
>>>>>
>>>>> Il giorno 03/feb/2014, alle ore 11:41, Francesco Chicchiriccò
>>>>> <ilgrosso at apache.org <mailto:ilgrosso at apache.org>> ha scritto:
>>>>>
>>>>>> On 31/01/2014 18:57, Dmitri Pal wrote:
>>>>>>> On 01/31/2014 08:17 AM, Francesco Chicchiriccò wrote:
>> [...]
>>>>>>>> I am actually not sure if it is "lightweight" connector could
>>>>>>>> actually
>>>>>>>> be better than a "loaded" connector (e.g. without proxy), from a
>>>>>>>> deployment point of view, unless you are saying either that (a) a
>>>>>>>> smart proxy is already available that can be reused
>>>>>>> The idea can be reused as a starting point. IMO the easiest would
>>>>>>> be to
>>>>>>> look at the patches and use same machinery but implement different
>>>>>>> commands.
>>>>>>>
>>>>>>>> or that (b) incorporating the smart proxy that we are going to
>>>>>>>> develop
>>>>>>>> into FreeIPA will easily happen.
>>
>> ^ quote left here deliberately
>>
>> [...]
>>>>>
>>>>> We start to implementing a FreeIPA ConnId connector for Apache 
>>>>> Syncope.
>>>>> We have to implement all identity operations defined by the ConnId
>>>>> framework.
>>>>> I would like to know the implementation status of the Smart/Proxy 
>>>>> and if
>>>>> we can use it to all the identity operations.
>>>>
>>>> I'm reviewing the Foreman Smart proxy patches now. They're not in the
>>>> FreeIPA repository yet. However the remaining issues were with
>>>> packaging, code organization, naming.
>>>>
>>>> The Smart Proxy is now specific to Foreman provisioning; it is not a
>>>> full REST interface so it will probably not support all operations you
>>>> need.
>>>>
>>>> For a full REST interface, patches are welcome but the core FreeIPA
>>>> team has other priorities at the moment.  The RFE ticket is here:
>>>> https://fedorahosted.org/freeipa/ticket/4168.
>>>
>>> For user provisioning you do not need a full REST api. You need to have
>>> a similar proxy but just for user related operations.
>>> So the smart proxy can be used as a model to do what you need to
>>> implement for Syncope integration.
>>
>> You'd be building two bridges (IPA--REST & REST--ConnID) when you 
>> could build just one. Unless you already have a suitable generic REST 
>> connector already, I don't think it's your best option. From this 
>> thread it seems to me that JSON-RPC--ConnID would not require 
>> significantly more work than just the REST--ConnID part.
>>
>>> What are the operations you need to implement? Can you list them?
>>
>> They were listed earlier in the thread, and [5].
>
>
> It is usually easy to take something that is already working like 
> smart proxy and change the entry points to the ones that you need.
> I am not familiar with the architecture of the connectors. Are they 
> separate processes? Are they daemons? Are they forked per request?
> Connection to IPA needs to be authenticated. If the connection to IPA 
> happens from a single process like smart proxy you do not need to 
> worry about machinery related to authentication and session managment. 
> It is already implemented.
> This is why I was suggesting to use smart proxy. IMO REST vs. JSON is 
> not that big deal. They are similar. Doing things right from the 
> authentication POV and session management are much harder. But if we 
> do not see a value in using smart proxy even like a reference point 
> for ConnID I would not insist.

Basically a ConnID bundle (ConnID is framework used by Apache Syncope to 
connect the external resources) is a Java library developed to invoke 
the following operations from Apache Syncope to the target resource:

AUTHENTICATE
CREATE
UPDATE
UPDATE_ATTRIBUTE_VALUES
DELETE
RESOLVE_USERNAME
SCHEMA
SEARCH
SYNC
TEST

For example, ConnID already has an Active Directory bundle [9] and an 
LDAP bundle [10].

As you already know, our goal is to develop a new bundle to invoke the 
provisioning operations on IPA server installation.

 From "ConnID development" point of view, the first thing is to choose a 
right way (to read protocol/interfaces) to communicate with the server.

Briefly "the right way" needs:
*) a long term support interfaces;
*) an interfaces that allows all user / group provisioning operations;
*) a way which leaves ConnID developers totally independent from (in 
this case) the FreeIPA development.

Starting from this introduction we think that the right way is to use 
JSON-RPC interfaces, with particular attention to authentication and 
session management, as suggested by you.

Do we have to consider other critical factors before starting to work?

Massi

>
>
>>
>>>>>> Otherwise, we will instead specialize the CMD connector [12] to
>>>>>> feature the FreeIPA command-line interface (as suggested at the
>>>>>> beginning of this thread). There will be potentially need, in this
>>>>>> case, to include the ConnId connector server into the Syncope
>>>>>> deployment architecture, but this is a supported pattern.
>>>>
>>>> Have you looked at JSON-RPC interface mentioned earlier in this
>>>> thread, and [6]? It might be cleaner to use that than the command-line
>>>> interface.
>>>>
>>>>
>>>>
>>>>> [1] http://syncope.apache.org/
>>>>> [2] http://tirasa.github.io/ConnId/
>>>>> [3] http://java.net/projects/identityconnectors/
>>>>> [4] https://github.com/Tirasa/ConnIdFreeIPABundle
>>>>> [5]
>>>>> http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/framework/spi/operations/package-summary.html 
>>>>>
>>>>>
>>>>> [6]
>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00109.html 
>>>>>
>>>>> [7] http://www.freeipa.org/page/Documentation
>>>>> [8] http://www.freeipa.org/page/V3/Smart_Proxy
[9] https://github.com/Tirasa/ConnIdADBundle
[10] https://github.com/Tirasa/ConnIdLDAPBundle
>>
>
>


-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

More information about the Freeipa-devel mailing list