I have checked what you told me. What I would like to do is: having a user and a password, authenticate against the kerberos server using a python script (not using kinit) and then be able to access to the ticket that is returned back by kerberos.
User -----> Service ------> Kerberos The user sends user and password the first time to authenticate and then the ticket. I know that this can look a bit weird but in the environment that I'm working on i need this. Any idea how can I do this? I have checked many libraries in Python but they don't seem like having what i need. Thanks in advance Yago On Tue, Aug 26, 2014 at 9:37 AM, Yago Fernández Pinilla <[email protected]> wrote: > Thanks for the info! > > I will work more on this and comment my progress > > > > On Mon, Aug 25, 2014 at 5:48 PM, Rob Crittenden <[email protected]> > wrote: > >> Yago Fernández Pinilla wrote: >> > I'm using FreeIpa 3.3.5. And according to what I saw, using the API, >> > seems to be the best option. >> > >> > For the time being I just want to request tickets and check tickets. >> > >> > Is that possible? >> > . >> >> I'm still not sure what it is you're trying to do. >> >> It's important to remember that IPA isn't a server itself, it is a >> collection of services configured to work together towards a common goal >> (centralized identity). What we add is a management framework on top to >> (hopefully) make things easier. This is what our API does, helps you >> manage users, groups, etc. >> >> A ticket is a Kerberos concept and you would obtain it directly from the >> KDC. The IPA API is not involved in that case. >> >> If that is what you want to do then it involves the python-krbV package >> which is difficult at best to use and doesn't implement the entire >> Kerberos stack. You can though do the equivalent of a kinit using a >> keytab doing something like: >> >> import krbV >> from ipalib import api >> >> api.bootstrap(context='test') >> api.finalize() >> >> ccache_file = 'FILE:/tmp/host_ccache' >> krbcontext = krbV.default_context() >> principal = str('host/%s@%s' % (api.env.host, api.env.realm)) >> keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext) >> principal = krbV.Principal(name=principal, context=krbcontext) >> os.environ['KRB5CCNAME'] = ccache_file >> ccache = krbV.CCache(name=ccache_file, context=krbcontext, >> primary_principal=principal) >> ccache.init(principal) >> cache.init_creds_keytab(keytab=keytab, principal=principal) >> >> You'll definitely want to do something differently with the ccache file >> than I'm showing here. >> >> I threw in IPA client initialization here so you could use this to >> prepare to do IPA API calls. >> >> rob >> >> > >> > >> > On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Yago Fernández Pinilla wrote: >> > > I want to integrate it in other service. Is there any good >> > documentation >> > > about the APIs? >> > >> > We really need more details in order to help you. >> > >> > The API for IPA is not documented though once you get the patterns >> down >> > it is fairly straightforward. >> > >> > This of course is a completely separate issue of kinit in python. >> What >> > release of IPA on which distro(s) are you looking at? >> > >> > rob >> > >> > > >> > > Thanks in advance >> > > >> > > >> > > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek <[email protected] >> > <mailto:[email protected]> >> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: >> > > >> > > On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández >> > Pinilla wrote: >> > > > Hi, >> > > > >> > > > I would like to create a script in python that does the same >> > that >> > > kinit, I >> > > > don´t where to start. >> > > >> > > Why do you need this? >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go To http://freeipa.org for more info on the project >> > > >> > > >> > > >> > > >> > > -- >> > > Yago Fernández Pinilla >> > > e-mail: [email protected] <mailto:[email protected]> >> > <mailto:[email protected] <mailto:[email protected]>> >> > > >> > > >> > > >> > >> > >> > >> > >> > -- >> > Yago Fernández Pinilla >> > e-mail: [email protected] <mailto:[email protected]> >> > >> >> > > > -- > Yago Fernández Pinilla > e-mail: [email protected] > > -- Yago Fernández Pinilla e-mail: [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
