Re: [Freeipa-users] Python Client
Thank you for your reply. Could there be anyway that accounts can be provisioned to IPA, via LDAP, from existing IAM system? The newly provisioned accounts can be temporarily stored in IPA's 389 Directory Server, and subsequently an automated task can IPA-ize the accounts (i.e. via the Python libraries). The accounts that have not been IPA-ized will be provisioned in a disabled state (i.e. users will be not using them). After accounts have been IPA-ize, account attributes, such as 'givenName', 'password', 'membershipOf', can be managed by LDAP from the central IAM system. Thank you. On Tue, Feb 12, 2013 at 4:18 PM, Dmitri Pal wrote: > On 02/12/2013 12:42 PM, It Meme wrote: > > Yes - Dmitri is correct. > > > > Our purchased IAM product has LDAP connectors. It is possible to > customize to develop other connector protocols but it requires tweaking the > core product code - this adds risk and, if not careful, could break our > support with vendor or increase operational risk to a critical production > system. > > > > The most practical option is to continue to use the LDAP connectors to > provision accounts to directory server. > > > > If we use IPA, that would mean provisioning accounts, from our IAM > product to IPA, via LDAP (Step 1) - and subsequently running a script that > will call the python libraries to IPA-ize the provisioned accounts (Step 2). > > > > It will assist our help desk staff if 'Step 1' provisioned accounts were > created in main accounts tree in IPA - then subsequent script will IPA-ize > the accounts for 'Step 2' and accounts will be updated in same tree. > > > > Any gotchas foreseen with above? > Yes. You need to be very careful. You are bypassing all the checks that > framework creates around user and group management. It is also unclear > how the system would react to the half baked user. It is all doable but > you shift the risk from the tweaking core product code to creating a > custom IPA code. IMO the level of risk is nearly the same. > > > We have larger user base with ~40K new accounts per year and 600K > ongoing - automating the tasks in stable systems, and having help desk > insight to account statuses are critical items for management. > > > > Thank you for your help, insights, input - they are very helpful and > greatly appreciated. > > > > On 2013-02-10, at 7:32, Dmitri Pal wrote: > > > >> On 02/09/2013 11:53 AM, John Dennis wrote: > >>> On 02/08/2013 05:29 PM, It Meme wrote: > >>>> Hi: > >>>> > >>>> Scenario: > >>>> > >>>> 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) > >>>> > >>>> The above user will not have IPA-specific attributes. > >>>> > >>>> Can we use the Python Library, or CLI, to modify the account to > >>>> IPA-ize it? > >>> You're really better off using the IPA API directly rather than trying > >>> to bypass it. Why? Because we implement additional logic inside the > >>> commands. If you could achieve everything IPA does by just modifying > >>> an LDAP server there wouldn't be a need for IPA. A good example of > >>> this is group membership, some of that logic is handled directly by a > >>> plugin to the 389 DS, but a large part of it is implemented in the IPA > >>> commands that manage users and groups. You really don't want to bypass > >>> it. > >>> > >>> You have a number of options on how to call the IPA commands: > >>> > >>> 1) the ipa command line client > >>> > >>> 2) sending the command formatted in JSON to the server > >>> > >>> 3) sending the command formatted in XML-RPC to the server > >>> > >>> 4) calling the command from your own python code > >>> > >>> 5) using the web GUI > >>> > >>> It's really not hard to call the IPA command line client from a > >>> program, typically this is done via a "system" command of which there > >>> are a number of variants. > >>> > >>> The following thread has a discussion of how to invoke one of our > >>> commands from Python code, this particular email response from Martin > >>> shows how it can be done in in about half a dozen lines of code. > >>> > >>> https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html > >>> > >>> What I'm not understanding why you're avoiding usi
[Freeipa-users] IPA Account - Managed by LDAP Calls
Hi: Assumption: Accounts have been provisioned in IPA. Can the IPA provisioned accounts be subsequently managed by LDAP calls from an external system? Examples: password update, group membership. Thank you. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Python Client
Yes - Dmitri is correct. Our purchased IAM product has LDAP connectors. It is possible to customize to develop other connector protocols but it requires tweaking the core product code - this adds risk and, if not careful, could break our support with vendor or increase operational risk to a critical production system. The most practical option is to continue to use the LDAP connectors to provision accounts to directory server. If we use IPA, that would mean provisioning accounts, from our IAM product to IPA, via LDAP (Step 1) - and subsequently running a script that will call the python libraries to IPA-ize the provisioned accounts (Step 2). It will assist our help desk staff if 'Step 1' provisioned accounts were created in main accounts tree in IPA - then subsequent script will IPA-ize the accounts for 'Step 2' and accounts will be updated in same tree. Any gotchas foreseen with above? We have larger user base with ~40K new accounts per year and 600K ongoing - automating the tasks in stable systems, and having help desk insight to account statuses are critical items for management. Thank you for your help, insights, input - they are very helpful and greatly appreciated. On 2013-02-10, at 7:32, Dmitri Pal wrote: > On 02/09/2013 11:53 AM, John Dennis wrote: >> On 02/08/2013 05:29 PM, It Meme wrote: >>> Hi: >>> >>> Scenario: >>> >>> 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) >>> >>> The above user will not have IPA-specific attributes. >>> >>> Can we use the Python Library, or CLI, to modify the account to >>> IPA-ize it? >> >> You're really better off using the IPA API directly rather than trying >> to bypass it. Why? Because we implement additional logic inside the >> commands. If you could achieve everything IPA does by just modifying >> an LDAP server there wouldn't be a need for IPA. A good example of >> this is group membership, some of that logic is handled directly by a >> plugin to the 389 DS, but a large part of it is implemented in the IPA >> commands that manage users and groups. You really don't want to bypass >> it. >> >> You have a number of options on how to call the IPA commands: >> >> 1) the ipa command line client >> >> 2) sending the command formatted in JSON to the server >> >> 3) sending the command formatted in XML-RPC to the server >> >> 4) calling the command from your own python code >> >> 5) using the web GUI >> >> It's really not hard to call the IPA command line client from a >> program, typically this is done via a "system" command of which there >> are a number of variants. >> >> The following thread has a discussion of how to invoke one of our >> commands from Python code, this particular email response from Martin >> shows how it can be done in in about half a dozen lines of code. >> >> https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html >> >> What I'm not understanding why you're avoiding using the commands we >> provide. If you're not familiar with how to call another >> program/process we can help you or just google it. Or is the problem >> your existing management system does not provide you with any "hooks" >> to execute code when an action occurs. But from everything you've said >> so far you imply it does provide such hooks. Perhaps if you could be >> more specific we could be more helpful. > It seems that the management system in question can insert an entry into > LDAP but can't do the "generic" hook. > I bet this is the issue here. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Python Client
Hi Dmitri: Yes, we are evaluating ways of provisioning users and their group memberships for Joiner, Mover, Leaver (JML) events. We were thinking of your suggestion as an option and your reply was very helpful. Our expected real-time scenarios is probably 5 mins latency. Is it viable to explore provisioning accounts/group to the destination tree via LDAP calls and a subsequent cron job runs, identifies the newly provisioned accounts, and applies modifications to create the IPA-specific attributes? Or is the temp folder the only option? Thank you for all your great help. On Fri, Feb 8, 2013 at 2:39 PM, Dmitri Pal wrote: > On 02/08/2013 05:29 PM, It Meme wrote: > > Hi: > > Scenario: > > 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) > > The above user will not have IPA-specific attributes. > > Can we use the Python Library, or CLI, to modify the account to IPA-ize > it? > > > Is this an integration with the external provisioning system? > Do you need to do it in real time or in batches? > > A simple solution that comes to mind is: > to create users in a different sub tree in ipa temporarily > run a cron job to inspect this area and translate the data in this temp > entry into the arguments of the CLI add user command and then clean this > temp area. > ldap search > parse > ipa user-add > delete processed temp entries > > The job can run at the cadence you think is reasonable - 30 min may be? > > > Thanks. > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Python Client
Hi: Scenario: 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) The above user will not have IPA-specific attributes. Can we use the Python Library, or CLI, to modify the account to IPA-ize it? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Java JSON Example -> IPA API
Hi. Would be any online examples for calling the IPA JSON APIs from a java application? Thanks. Sent from my iPhone ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Create User
Thank you John - much appreciated. Sent from my iPhone On 2013-02-04, at 16:35, John Dennis wrote: > On 02/04/2013 07:07 PM, It Meme wrote: >> Thank you John for your helpful reply. >> >> Near real time will be sufficient - within the 5 min range. >> >> Will it be practical when managing a user's groups - these can happen >> when a user moves within the organization or is terminated. > > I'm not sure we've done timing measurements on various operations, but in > general most IPA commands are fast executing in sub-second elapsed time on > the server. Latency on the client side can be introduced by such things as > authentication (mitigated by the use of client sessions), network latencies > between the client and the server, DNS resolution, etc. Those types of > network induced latencies can be very hard to predict because it depends on a > number of external factors having nothing to do with IPA per se. Elapsed time > on the server is also influenced by LDAP tuning (e.g. indexes), memory, > available CPU, etc. > > Things like adding a user, or adding a user to a group are not compute > intensive and should execute quickly. For your intended use I don't see any > issues with the elapsed time for command execution. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Create User
Thank you John for your helpful reply. Near real time will be sufficient - within the 5 min range. Will it be practical when managing a user's groups - these can happen when a user moves within the organization or is terminated. On Fri, Feb 1, 2013 at 8:59 PM, John Dennis wrote: > On 02/01/2013 10:26 PM, It Meme wrote: > >> Hi Dimitri: >> >> Thank you for your helpful posts. >> >> Do you know of any organization that provisions accounts and groups in >> real-time, from an external IdM system, to IPA, via CLI? >> >> We have an IdM system which will be reading data from HR, and making >> 'joiner, mover, leaver, decisions' - accounts are provisioned, deleted, >> groups changed etc based on the HR data. >> >> Is it feasible to consider the IdM system calling the CLI, via scripts, >> to create/delete accounts, manage groups, in near real-time? >> > > Calling a script does not take much time (especially compared to the > elapsed time it takes for the command to complete), it would only be an > issue if you were trying to do a number of transactions per second, but it > doesn't sound like your HR dept is going to need that kind of throughput. > It's also possible to call our API from Python, others have done this. > Whether your IdM forks out to a shell script or to a Python script would be > negligible compared to the total elapsed time to complete the operation. > > I suppose the answer to your question begs another, what's your definition > of "real time"? If your IdM triggers a transaction and it completes within > a few seconds is that real time? > > John > > -- > John Dennis > > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Create User
Hi Dimitri: Thank you for your helpful posts. Do you know of any organization that provisions accounts and groups in real-time, from an external IdM system, to IPA, via CLI? We have an IdM system which will be reading data from HR, and making 'joiner, mover, leaver, decisions' - accounts are provisioned, deleted, groups changed etc based on the HR data. Is it feasible to consider the IdM system calling the CLI, via scripts, to create/delete accounts, manage groups, in near real-time? I am gathering the details on options and present it to management. Thanks. On Fri, Feb 1, 2013 at 4:42 PM, Dmitri Pal wrote: > On 02/01/2013 07:00 PM, It Meme wrote: > > Hi: > > We would like to trigger creation of user accounts from another > application - is this possible completely by LDAP calls? > > Or using the APIs, the best way to proceed? > > > Actually using CLIs would be a preferred and supported way for the time > being. > APIs would be the second. They are stable but not public. We have not > published them because so far no one seriously considered calling IPA from > another application. May be you are going to be the first. You can look at > the extnsibility guide. Also we would be able to provide additional > guidance but we are not ready to call it an API we not going to break so if > you are fine with modifying your app if we change things it might be a good > option for both of us to move to a more production ready API. > LDAP is not a preferred method for creation of the entries because we do > more in the code than just calling LDAP modify. > We can help you to craft something but effectively you would have to > duplicate our ipa user-add logic within your code. I suspect you do not > want to go this path. > > Thanks > Dmitri > > > Thanks. > > > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
