[Freeipa-users] Read-only permission with no authentication
Alexander Bokovoy
abokovoy at redhat.com
Tue May 17 16:02:37 UTC 2016
On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
>I'm trying to set up an account that will only have read permissions
>to FreeIPA's user and host info to get some automated documentation
>tasks running. Basically I want to set up a cron job on a FreeIPA
>server that will read info using the ipa command line tools like "ipa
>user-find", "ipa user-show --all" and some of the host commands.
>After it reads that info I can handle it in perl to maintain some
>documentation requirements. But I don't want to be forced into saving
>a password anywhere along the way if I can avoid it.
>
>Is there a way to set an account so it will be able to run those ipa
>commands in a read-only state but not have any authentication
>requirement?
No, it is not possible. On IPA server side all connections to the
management framework are always authenticated.
You can use an approach described in
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
to obtain authentication token and get requests to the IPA server with
that token. However, this implies you still need to authenticate first.
Another approach would be to create a service, obtain a keytab with a
key for that service and run your 'ipa ...' calls with the Kerberos
authentication based on that keytab. On reasonably recent systems you
can use GSS-Proxy to make sure your script is not having direct access
to the keytab and that would also make possible re-acquiring the ticket
on your behalf by GSS-Proxy.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list