Hi Sylvian, I'm not familiar with Tivoli but maybe it's able to generate HTTP requests? I recently did a proof-of-concept (with help from this mailing list) to provision IPA with usernames/passwords. It's really a re-write of a post from Adam Young (http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/) and info from The IPA API documented at https://fedorahosted.org/freeipa/browser/API.txt
In this procedure you should replace curl with Tivoli. # Add the (IPA) account you want to use for provisioning to the passSyncManagerDNs 'group' so that users that are created through provisioning do not have to change their passwords at first login. In this example I used 'admin' but you probably whant a dedicated user : cat > add_passsync_manager.ldif << EOF dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain EOF ldapmodify -x -D "cn=Directory Manager" -W -f add_passsync_manager.ldif # Check : ldapsearch -LLL -x -D "cn=Directory Manager" -W -b "cn=ipa_pwd_extop,cn=plugins,cn=config" -s base passsyncmanagersdns ... passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain # The .json file is the 'add user' request that Tivoli should generate.: cat > add_user_test.json << EOF { "method":"user_add", "params":[ [], { "uid":"test", "givenname":"test", "sn":"test", "userpassword":"test" } ] } EOF # Tivoli needs to be able to pass Kerberos credentials with the HTTP request (the '--negotiate -u : ` part) : kinit admin curl -v \ --header referer:https://<IPA_HOST>/ipa \ --header "Content-Type:application/json" \ --header "Accept:applicaton/json"\ --negotiate -u : \ --delegation always \ --cacert /etc/ipa/ca.crt \ --data @add_user_test.json \ --request POST https://<IPA_HOST>/ipa/json … "summary": "Added user \"test\"", … # Check. The user should not be asked to change his password... : kinit test Regards, Willem. On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers <sylvainang...@gmail.com> wrote: > Hello all, > > Within our organisation, we use IBM Tivoli Identity Manager connectors to > provision user/group onto all our different type of system. Currently there > is as many connectors as we have unix box. As each unix box use local auth, > we use ITIM to push user/group to local files...We are investigating IPA > since a while, and now we wonder if a regular LDAP connector from IBM Tivoli > Identity manager could be use to feed IPA so we would have one connector to > manage our UNIX box via IPA. Our security folks would continue to have one > single interface to do user/group provisionning. > > I found out that there is already an IITIM LDAP connector available, but Is > there such thing as ldap interface to manage ipa? > Or is the only way to get ITIM to manage IPA would be via new connector > build from remote ipa command lines? > > Thank you! > > -- > Sylvain Angers > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users