[Freeipa-users] Custom kinit
Dmitri Pal
dpal at redhat.com
Tue Aug 26 22:47:28 UTC 2014
On 08/26/2014 11:43 AM, Yago Fernández Pinilla wrote:
> I have checked what you told me.
>
> What I would like to do is: having a user and a password, authenticate
> against the kerberos server using a python script (not using kinit)
> and then be able to access to the ticket that is returned back by
> kerberos.
Access by what?
Can you please describe a full flow as you see it?
>
> User -----> Service ------> Kerberos
>
> The user sends user and password the first time to authenticate and
> then the ticket.
> I know that this can look a bit weird but in the environment that I'm
> working on i need this.
>
> Any idea how can I do this? I have checked many libraries in Python
> but they don't seem like having what i need.
>
> Thanks in advance
>
> Yago
>
>
>
> On Tue, Aug 26, 2014 at 9:37 AM, Yago Fernández Pinilla
> <yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>> wrote:
>
> Thanks for the info!
>
> I will work more on this and comment my progress
>
>
>
> On Mon, Aug 25, 2014 at 5:48 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> Yago Fernández Pinilla wrote:
> > I'm using FreeIpa 3.3.5. And according to what I saw, using
> the API,
> > seems to be the best option.
> >
> > For the time being I just want to request tickets and check
> tickets.
> >
> > Is that possible?
> > .
>
> I'm still not sure what it is you're trying to do.
>
> It's important to remember that IPA isn't a server itself, it is a
> collection of services configured to work together towards a
> common goal
> (centralized identity). What we add is a management framework
> on top to
> (hopefully) make things easier. This is what our API does,
> helps you
> manage users, groups, etc.
>
> A ticket is a Kerberos concept and you would obtain it
> directly from the
> KDC. The IPA API is not involved in that case.
>
> If that is what you want to do then it involves the
> python-krbV package
> which is difficult at best to use and doesn't implement the entire
> Kerberos stack. You can though do the equivalent of a kinit
> using a
> keytab doing something like:
>
> import krbV
> from ipalib import api
>
> api.bootstrap(context='test')
> api.finalize()
>
> ccache_file = 'FILE:/tmp/host_ccache'
> krbcontext = krbV.default_context()
> principal = str('host/%s@%s' % (api.env.host, api.env.realm))
> keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
> principal = krbV.Principal(name=principal, context=krbcontext)
> os.environ['KRB5CCNAME'] = ccache_file
> ccache = krbV.CCache(name=ccache_file, context=krbcontext,
> primary_principal=principal)
> ccache.init(principal)
> cache.init_creds_keytab(keytab=keytab, principal=principal)
>
> You'll definitely want to do something differently with the
> ccache file
> than I'm showing here.
>
> I threw in IPA client initialization here so you could use this to
> prepare to do IPA API calls.
>
> rob
>
> >
> >
> > On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
> >
> > Yago Fernández Pinilla wrote:
> > > I want to integrate it in other service. Is there any good
> > documentation
> > > about the APIs?
> >
> > We really need more details in order to help you.
> >
> > The API for IPA is not documented though once you get
> the patterns down
> > it is fairly straightforward.
> >
> > This of course is a completely separate issue of kinit
> in python. What
> > release of IPA on which distro(s) are you looking at?
> >
> > rob
> >
> > >
> > > Thanks in advance
> > >
> > >
> > > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek
> <jhrozek at redhat.com <mailto:jhrozek at redhat.com>
> > <mailto:jhrozek at redhat.com <mailto:jhrozek at redhat.com>>
> > > <mailto:jhrozek at redhat.com <mailto:jhrozek at redhat.com>
> <mailto:jhrozek at redhat.com <mailto:jhrozek at redhat.com>>>> wrote:
> > >
> > > On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago
> Fernández
> > Pinilla wrote:
> > > > Hi,
> > > >
> > > > I would like to create a script in python that
> does the same
> > that
> > > kinit, I
> > > > don´t where to start.
> > >
> > > Why do you need this?
> > >
> > > --
> > > Manage your subscription for the Freeipa-users
> mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
> > >
> > >
> > >
> > > --
> > > Yago Fernández Pinilla
> > > e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
> <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>>
> > <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
> <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>>>
> > >
> > >
> > >
> >
> >
> >
> >
> > --
> > Yago Fernández Pinilla
> > e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
> <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>>
> >
>
>
>
>
> --
> Yago Fernández Pinilla
> e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
>
>
>
>
> --
> Yago Fernández Pinilla
> e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140827/2547b9d5/attachment.htm>
More information about the Freeipa-users
mailing list