[Freeipa-users] Custom kinit
Rob Crittenden
rcritten at redhat.com
Mon Aug 25 15:48:36 UTC 2014
Yago Fernández Pinilla wrote:
> I'm using FreeIpa 3.3.5. And according to what I saw, using the API,
> seems to be the best option.
>
> For the time being I just want to request tickets and check tickets.
>
> Is that possible?
> .
I'm still not sure what it is you're trying to do.
It's important to remember that IPA isn't a server itself, it is a
collection of services configured to work together towards a common goal
(centralized identity). What we add is a management framework on top to
(hopefully) make things easier. This is what our API does, helps you
manage users, groups, etc.
A ticket is a Kerberos concept and you would obtain it directly from the
KDC. The IPA API is not involved in that case.
If that is what you want to do then it involves the python-krbV package
which is difficult at best to use and doesn't implement the entire
Kerberos stack. You can though do the equivalent of a kinit using a
keytab doing something like:
import krbV
from ipalib import api
api.bootstrap(context='test')
api.finalize()
ccache_file = 'FILE:/tmp/host_ccache'
krbcontext = krbV.default_context()
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
principal = krbV.Principal(name=principal, context=krbcontext)
os.environ['KRB5CCNAME'] = ccache_file
ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=principal)
ccache.init(principal)
cache.init_creds_keytab(keytab=keytab, principal=principal)
You'll definitely want to do something differently with the ccache file
than I'm showing here.
I threw in IPA client initialization here so you could use this to
prepare to do IPA API calls.
rob
>
>
> On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Yago Fernández Pinilla wrote:
> > I want to integrate it in other service. Is there any good
> documentation
> > about the APIs?
>
> We really need more details in order to help you.
>
> The API for IPA is not documented though once you get the patterns down
> it is fairly straightforward.
>
> This of course is a completely separate issue of kinit in python. What
> release of IPA on which distro(s) are you looking at?
>
> rob
>
> >
> > Thanks in advance
> >
> >
> > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek <jhrozek at redhat.com
> <mailto:jhrozek at redhat.com>
> > <mailto:jhrozek at redhat.com <mailto:jhrozek at redhat.com>>> wrote:
> >
> > On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández
> Pinilla wrote:
> > > Hi,
> > >
> > > I would like to create a script in python that does the same
> that
> > kinit, I
> > > don´t where to start.
> >
> > Why do you need this?
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> >
> >
> >
> > --
> > Yago Fernández Pinilla
> > e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
> <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>>
> >
> >
> >
>
>
>
>
> --
> Yago Fernández Pinilla
> e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
>
More information about the Freeipa-users
mailing list