[Freeipa-users] ipalib authentication
Christian Heimes
cheimes at redhat.com
Thu Nov 24 16:18:41 UTC 2016
On 2016-11-24 16:27, Adam Bishop wrote:
> I'm writing a bit of code using ipalib directly, I'm a little stuck on authentication though.
>
> It works fine if grab a Kerberos ticket with kinit then run the code interactively, but I'd like to run this as a daemon which makes maintaining a ticket tricky.
>
> What other options are there for authenticating to the API, avoiding calling external tools like curl or kinit?
Hi Adam,
for a service you can use a Kerberos keytab to authenticate. A keytab
can be requested with ipa-getkeytab. The command will replace the
password of the service with a random one.
In order to use the keytab file from ipalib, simple set the env var
KRB5_CLIENT_KTNAME [1] to the absolute filename of the keytab file. You
can set it any time before you initialize FreeIPA's API. GSSAPI will
automatically pick up the keytab and use the first principal to
authenticate.
Christian
https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161124/b5139d30/attachment.sig>
More information about the Freeipa-users
mailing list