Thanks everyone for the input. I do agree that I don’t like the sound of option 1. I don’t want to be sending CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
2 sounds like the most solid option available right now. I like the fact that there’s an existing/working API there. I’ll need to look into converting my objects into json. This area honestly seems like one of the weakest aspects of freeipa. There really needs to be a way to push known person entities into the directory easily. I would be willing to test option 4 if that is where the future is headed. Tim > On Mar 24, 2015, at 12:58 AM, Martin Kosek <mko...@redhat.com> wrote: > > On 03/24/2015 01:29 AM, Dmitri Pal wrote: >> On 03/23/2015 05:56 PM, Timothy Worman wrote: >>> I have an existing web app built with java/WebObjects that currently handles >>> some user/groups tasks with our current directory server (Open Directory). >>> We >>> are investigating a move to FreeIPA for our directory services. >>> >>> Just in mucking around, I’ve found that if I try to insert a new user >>> (inetOrgPerson) into into IPA’s implementation, the new user does not >>> inherit >>> all the object classes it should. It only inherits the ones leading to >>> inetOrgPerson. This does result in a successful inetOrgPerson insertion, but >>> that user record does not show up in the Web GUI management tools. >>> >>> Usually, I have focused on inetOrgPerson because that is where the bulk of >>> the info about a user lives. >>> >>> We have a SQL database that contains people in our organization (used by >>> other services), so, we need to be able to leverage that and push users into >>> IPA when appropriate and we have an existing app to do this. >>> >>> Tim W >>> >> You have several options: >> 1) Call ipa CLI from your application - this is possible right now (but not >> quite nice) >> 2) Call ipa JSON API from your application - this is not supported but >> possible. We use python API. You can do it in Java but it will be a lot of >> work. >> 3) Use more elaborate LDAP add commands (with all the object classes needed >> for >> users). Hard, but doable. >> 4) Help us with testing the upcoming feature >> http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow >> creating users via simple ldap command in a staging area and them moving them >> to normal users area with automatic creation of missing attributes by means >> of >> a cron job. >> >> I would vote for 1) as a temp solution and 4) as a longer term one. > > I do not fully agree with preferring 1) over 2). Java has libraries for > JSON-RPC protocol, it should be pretty doable to write a call that calls the > "user_add" command. > > We are lacking proper documentation for the API, but what you can look in the > sources or in the Web UI with and see the JSONs sent to the server, if you are > interested in the real life examples. > > Advantage of 2) over 1) is that you get the native objects (strings, arrays, > numbers) and you do not need to parse it from CLI. > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project