[Freeipa-users] Looking for documentation for Python API

Jan Cholasta jcholast at redhat.com
Thu May 12 06:58:35 UTC 2016 

On 11.5.2016 10:52, Martin Kosek wrote:
> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>>>
>>> So for example for caacl-add:
>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
>>> description")
>>>
>>> you can try commands in "ipa console" it contains initialized API, just
>>> call api.Command.<your-favorite-command>()
>>>
>>> API.txt provides the same information as API browser, but browser looks
>>> better :)
>>>
>>> Feel free to ask anything, if you identified gaps in docs which are hard
>>> to understand for non-IPA developer feel free report it, or feel free to
>>> create howTo in freeipa.org page.
>>
>> Thanks for the pointers. I'm looking at automating some user and group
>> additions, group editing, etc.  Am I right in assuming that anything that uses
>> the api.Command.<some_command> will require a kinit <user> before it is run,
>> even if it is via the Python API? If I want to use a user/pass from the script
>> itself (and not have a shell script which does kinit, then fires off my Python
>> script) would I be better off hitting the web API with sessions and JSON-RPC as
>> detailed here:
>>
>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>>
>> Put another way, since I want to hit the API from a system that might not have
>> sssd installed, nor has joined the realm, I assume it would be *impossible* to
>> use api.Command.<something> as it relies on a Kerberos ticket?  To put it yet
>> another way: is there a way to hand a user/pass to the Python API and
>> authenticate that way.
>
> The API itself can be hit with user/password, as noted in Alexander's blog. If
> you want to use the actual Python API, Kerberos may be the only way. But I
> think Jan or Petr may had some other (hacky) way to pass user+password there too.

I don't think we support anything but Kerberos on the client side in our 
Python API. It might be possible to somehow emulate what the web UI 
does, but I haven't personally ever attempted to do that. Petr, have you?

>
>> Those are the questions I did not see addressed in the docs that I found.
>> There were lots of examples of invoking commands, but I never saw anything
>> about authenticating to the server before running the commands.
>>
>> Thanks again for the pointers, and if there is documentation I missed, feel
>> free to point me in that direction.
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list