[Freeipa-users] Read-only permission with no authentication

[Alexander Bokovoy]

On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
>I'm trying to set up an account that will only have read permissions 
>to FreeIPA's user and host info to get some automated documentation 
>tasks running.  Basically I want to set up a cron job on a FreeIPA 
>server that will read info using the ipa command line tools like "ipa 
>user-find", "ipa user-show --all" and some of the host commands.  
>After it reads that info I can handle it in perl to maintain some 
>documentation requirements.  But I don't want to be forced into saving 
>a password anywhere along the way if I can avoid it.
>
>Is there a way to set an account so it will be able to run those ipa 
>commands in a read-only state but not have any authentication 
>requirement?
No, it is not possible. On IPA server side all connections to the
management framework are always authenticated.

You can use an approach described in
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
to obtain authentication token and get requests to the IPA server with
that token. However, this implies you still need to authenticate first.

Another approach would be to create a service, obtain a keytab with a
key for that service and run your 'ipa ...' calls with the Kerberos
authentication based on that keytab. On reasonably recent systems you
can use GSS-Proxy to make sure your script is not having direct access
to the keytab and that would also make possible re-acquiring the ticket
on your behalf by GSS-Proxy.
-- 
/ Alexander Bokovoy