#7966 Reimplement ipa-join in Python
Opened 2 months ago by cheimes. Modified 4 days ago

Request for enhancement

We want to deprecate and eventually remove the XML-RPC interface in favor of JSON-RPC. The ipa-join command is currently implemented in C and uses libxmlrpc-client to talk to IPA servers. It's the last command that requires XML-RCP API and libxmlrpc-client in the FreeIPA sources tree. AFAIK only certmonger and ipa-join depend on XML-RCP at all.

Rather than re-implementing the XML-RPC part of ipa-join.c with some JSON-RPC library, it is probably easier and less risky to replace the implementation with a pure Python implementation. The command is not terribly complicated:

  • it connects to LDAP to retrieve the root DN and verify that the server is an IPA server.
  • it creates fqdn=$HOSTNAME,cn=computers,cn=accounts,$SUFFIX
  • it calls the join RPC endpoint on installation and host_disable endpoint on uninstallation
  • it runs ipa-getkeytab

As a side note on the Certmonger situation - seems like a good opportunity to reimplement the IPA renewal helper and take control of it from Certmonger (perhaps shipping it as a separate package on its own release cadence, or perhaps part of ipa-client).

Alexander mentioned that he would rather replace libxmlrpc-client with a JSON RPC C-library than to reimplement ipa-join in Python.

Login to comment on this ticket.