Raw LDAP adds/modifies bypassed FreeIPA's framework, so group/user creates
failed with Object Class Violation (no gidNumber/uidNumber/ipaUniqueID) and
deletes/mods needed ACIs the bind account couldn't exercise as a plain LDAP
write. Route all MUTATIONS through the FreeIPA JSON-RPC API instead; reads
stay on direct LDAP.
- internal/client/freeipa.go: new JSON-RPC client (form login_password →
ipa_session cookie, re-auth on 401, multi-server failover, TLS via the
configured CA). Derives the API host + login uid from the LDAP config.
- internal/service/ldap.go: CreateGroup/UpdateGroup/DeleteGroup/AddGroupMembers/
RemoveGroupMember → group_add/_mod/_del/_add_member/_remove_member;
CreateUser/UpdateUser/DisableUser/ResetPassword → user_add/_mod/_disable
(+_enable)/passwd. Services map → addattr(objectclass)/setattr. Writes error
cleanly when the IPA client is unconfigured.
- cmd/server/main.go: build the FreeIPA client from the LDAP config and inject
it into the LDAP service.
Verified live: group create (IPA-assigned gidNumber), get, add/remove member,
delete all succeed; reads unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
90f98671fc