Ronald Wimmer via FreeIPA-users wrote:
We have several scenarios where we cannot establish an AD Trust. In
these cases we are forced to create/modify/delete IPA users triggered
from an IAM system. Is the IPA API the one and only way to go or would
it also work if we used IPA's LDAP directly?
Using the stageuser and user API is recommended. It's certainly possible
to do it directly in LDAP but we don't encourage it. It requires
knowledge of how the entry is structured, what gets added automatically,
etc. We also can't guarantee that there won't be changes to the
objectclasses, etc. that would break any direct LDAP comms.
YMMV
rob