[Freeipa-users] Read-only permission with no authentication
Rob Crittenden
rcritten at redhat.com
Tue May 17 17:36:36 UTC 2016
Alexander Bokovoy wrote:
> On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
>> I'm trying to set up an account that will only have read permissions
>> to FreeIPA's user and host info to get some automated documentation
>> tasks running. Basically I want to set up a cron job on a FreeIPA
>> server that will read info using the ipa command line tools like "ipa
>> user-find", "ipa user-show --all" and some of the host commands. After
>> it reads that info I can handle it in perl to maintain some
>> documentation requirements. But I don't want to be forced into saving
>> a password anywhere along the way if I can avoid it.
>>
>> Is there a way to set an account so it will be able to run those ipa
>> commands in a read-only state but not have any authentication
>> requirement?
> No, it is not possible. On IPA server side all connections to the
> management framework are always authenticated.
>
> You can use an approach described in
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
> to obtain authentication token and get requests to the IPA server with
> that token. However, this implies you still need to authenticate first.
>
> Another approach would be to create a service, obtain a keytab with a
> key for that service and run your 'ipa ...' calls with the Kerberos
> authentication based on that keytab. On reasonably recent systems you
> can use GSS-Proxy to make sure your script is not having direct access
> to the keytab and that would also make possible re-acquiring the ticket
> on your behalf by GSS-Proxy.
For users, depending on configuration, you can use an anonymous LDAP
bind and skip the ipa tool. I'm pretty sure that hosts require an
authenticated user to read the entries.
rob
More information about the Freeipa-users
mailing list