On Thu, 2014-02-27 at 11:32 -0500, Rob Crittenden wrote: > Rich Megginson wrote: > > On 02/27/2014 06:19 AM, Rob Crittenden wrote: > >> Rich Megginson wrote: > >>> On 02/26/2014 03:48 PM, Simo Sorce wrote: > >>>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote: > >>>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote: > >>>>>> Rich Megginson wrote: > >>>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote: > >>>>>>>> Rich Megginson wrote: > >>>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote: > >>>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote: > >>>>>>>>>>> I'm working on adding support for freeipa DNS to openstack > >>>>>>>>>>> designate > >>>>>>>>>>> (DNSaaS). I am assuming I need to use RPC (XML? JSON? > >>>>>>>>>>> REST?) to > >>>>>>>>>>> communicate with freeipa. Is there documentation about how to > >>>>>>>>>>> construct > >>>>>>>>>>> and send RPC messages? > >>>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported" > >>>>>>>>>> (read: documented), though it's extremely unlikely to change. > >>>>>>>>>> If you need an example, run any ipa command with -vv, this will > >>>>>>>>>> print > >>>>>>>>>> out the request & response. > >>>>>>>>>> API.txt in the source tree lists all the commands and params. > >>>>>>>>>> This blog post still applies (but be sure to read the update > >>>>>>>>>> about > >>>>>>>>>> --cacert): > >>>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> Ok. Next question is - how does one do the equivalent of the curl > >>>>>>>>> command in python code? > >>>>>>>> Here is a pretty stripped-down way to add a user. Other commands > >>>>>>>> are > >>>>>>>> similar, you just may care more about the output: > >>>>>>>> > >>>>>>>> from ipalib import api > >>>>>>>> from ipalib import errors > >>>>>>>> > >>>>>>>> api.bootstrap(context='cli') > >>>>>>>> api.finalize() > >>>>>>>> api.Backend.xmlclient.connect() > >>>>>>>> > >>>>>>>> try: > >>>>>>>> api.Command['user_add'](u'testuser', > >>>>>>>> givenname=u'Test', sn=u'User', > >>>>>>>> loginshell=u'/bin/sh') > >>>>>>>> except errors.DuplicateEntry: > >>>>>>>> print "user already exists" > >>>>>>>> else: > >>>>>>>> print "User added" > >>>>>>>> > >>>>>>> How would one do this from outside of ipa? If ipalib is not > >>>>>>> available? > >>>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what > >>>>>> protocol you want to use) and issue one request there. This requires > >>>>>> Kerberos authentication. The response will include a cookie which you > >>>>>> should either ignore or store safely (like in the kernel keyring). > >>>>>> Using the cookie will significantly improve performance. > >>>>> This is for the ipa dns backend for designate. I'm assuming I will > >>>>> either be using a keytab, or perhaps the new proxy? > >>>>> > >>>>> At any rate, I have to do everything in python - including the kinit > >>>>> with the keytab. > >>>> Lok at rob's damon but you should *not* do a kinit, you should just use > >>>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if > >>>> the > >>>> environment is configured (KRB5_KTNAME set correctly) then gssapi will > >>>> automatically kinit for you under the hood. > >>>> > >>>>> I guess I'm really looking for specifics - I've seen > >>>>> recommendations to > >>>>> use the python libraries "requests" and "json". I don't know if > >>>>> requests supports negotiate/kerberos. If not, is there a recommended > >>>>> library to use? As this particular project will be part of openstack, > >>>>> perhaps there is a more "openstack"-y library, or even something > >>>>> built-in to openstack (oslo?). I think amqp support kerberos, so > >>>>> perhaps there is some oslo.messaging thing that will do the http + > >>>>> kerberos stuff. > >>>> Afaik there is nothing that does kerberos in openstack, you'll have to > >>>> introduce all that stuff. > >>> > >>> Egads - implementing openstack-wide kerberos client libraries in order > >>> to add an ipa dns backend to designate. > >>> > >>> Rob, need any help with your proxy? > >> > >> Well, something occurred to me this morning. You need SSL on top of > >> this too, which means you need the IPA CA. The easiest way to get that > >> is to enroll the designate server as an IPA client. This pulls in the > >> freeipa-python package which gives you ipalib, so no reinventing the > >> wheel required. > > > > I'm trying to use python-kerberos to do auth with a keytab > > (KRB5_KTNAME), without first doing a kinit from the command line. It is > > not working. > > > > Does anyone know how I can do client side kerberos auth with a keytab in > > python without first doing a kinit? > > gssproxy. You need at least 0.3.1. > > Add something like this to the _top_ of /etc/gssproxy/gssproxy.conf: > > [service/myservice] > mechs = krb5 > cred_store = client_keytab:/etc/my.keytab > cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U > cred_usage = initiate > euid = xx (where xx is the uid of your process) > > I found running gssproxy directly in debug mode another window to be a > handy debugging tool while I got my head wrapped around things.
Just for keytab initiation, GSS-Proxy should not be needed if you have reasonably recent krb5-libs (>= 1.11 IIRC), we just use gssapi lib in gss-proxy too and don't do explicit kinit in gss-proxy either. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel