On 08/26/2014 11:43 AM, Yago Fernández Pinilla wrote:
I have checked what you told me.

What I would like to do is: having a user and a password, authenticate against the kerberos server using a python script (not using kinit) and then be able to access to the ticket that is returned back by kerberos.

Access by what?
Can you please describe a full flow as you see it?


User -----> Service  ------> Kerberos

The user sends user and password the first time to authenticate and then the ticket. I know that this can look a bit weird but in the environment that I'm working on i need this.

Any idea how can I do this? I have checked many libraries in Python but they don't seem like having what i need.

Thanks in advance

Yago



On Tue, Aug 26, 2014 at 9:37 AM, Yago Fernández Pinilla <yago...@gmail.com <mailto:yago...@gmail.com>> wrote:

    Thanks for the info!

    I will work more on this and comment my progress



    On Mon, Aug 25, 2014 at 5:48 PM, Rob Crittenden
    <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:

        Yago Fernández Pinilla wrote:
        > I'm using FreeIpa 3.3.5. And according to what I saw, using
        the API,
        > seems to be the best option.
        >
        > For the time being I just want to request tickets and check
        tickets.
        >
        > Is that possible?
        > .

        I'm still not sure what it is you're trying to do.

        It's important to remember that IPA isn't a server itself, it is a
        collection of services configured to work together towards a
        common goal
        (centralized identity). What we add is a management framework
        on top to
        (hopefully) make things easier. This is what our API does,
        helps you
        manage users, groups, etc.

        A ticket is a Kerberos concept and you would obtain it
        directly from the
        KDC. The IPA API is not involved in that case.

        If that is what you want to do then it involves the
        python-krbV package
        which is difficult at best to use and doesn't implement the entire
        Kerberos stack. You can though do the equivalent of a kinit
        using a
        keytab doing something like:

        import krbV
        from ipalib import api

        api.bootstrap(context='test')
        api.finalize()

        ccache_file = 'FILE:/tmp/host_ccache'
        krbcontext = krbV.default_context()
        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
        keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
        principal = krbV.Principal(name=principal, context=krbcontext)
        os.environ['KRB5CCNAME'] = ccache_file
        ccache = krbV.CCache(name=ccache_file, context=krbcontext,
            primary_principal=principal)
        ccache.init(principal)
        cache.init_creds_keytab(keytab=keytab, principal=principal)

        You'll definitely want to do something differently with the
        ccache file
        than I'm showing here.

        I threw in IPA client initialization here so you could use this to
        prepare to do IPA API calls.

        rob

        >
        >
        > On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
        wrote:
        >
        >     Yago Fernández Pinilla wrote:
        >     > I want to integrate it in other service. Is there any good
        >     documentation
        >     > about the APIs?
        >
        >     We really need more details in order to help you.
        >
        >     The API for IPA is not documented though once you get
        the patterns down
        >     it is fairly straightforward.
        >
        >     This of course is a completely separate issue of kinit
        in python. What
        >     release of IPA on which distro(s) are you looking at?
        >
        >     rob
        >
        >     >
        >     > Thanks in advance
        >     >
        >     >
        >     > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek
        <jhro...@redhat.com <mailto:jhro...@redhat.com>
        >     <mailto:jhro...@redhat.com <mailto:jhro...@redhat.com>>
        >     > <mailto:jhro...@redhat.com <mailto:jhro...@redhat.com>
        <mailto:jhro...@redhat.com <mailto:jhro...@redhat.com>>>> wrote:
        >     >
        >     >     On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago
        Fernández
        >     Pinilla wrote:
        >     >     > Hi,
        >     >     >
        >     >     > I would like to create a script in python that
        does the same
        >     that
        >     >     kinit, I
        >     >     > don´t where to start.
        >     >
        >     >     Why do you need this?
        >     >
        >     >     --
        >     >     Manage your subscription for the Freeipa-users
        mailing list:
        >     > https://www.redhat.com/mailman/listinfo/freeipa-users
        >     >     Go To http://freeipa.org for more info on the project
        >     >
        >     >
        >     >
        >     >
        >     > --
        >     > Yago Fernández Pinilla
        >     > e-mail: yago...@gmail.com <mailto:yago...@gmail.com>
        <mailto:yago...@gmail.com <mailto:yago...@gmail.com>>
        >     <mailto:yago...@gmail.com <mailto:yago...@gmail.com>
        <mailto:yago...@gmail.com <mailto:yago...@gmail.com>>>
        >     >
        >     >
        >     >
        >
        >
        >
        >
        > --
        > Yago Fernández Pinilla
        > e-mail: yago...@gmail.com <mailto:yago...@gmail.com>
        <mailto:yago...@gmail.com <mailto:yago...@gmail.com>>
        >




-- Yago Fernández Pinilla
    e-mail: yago...@gmail.com <mailto:yago...@gmail.com>




--
Yago Fernández Pinilla
e-mail: yago...@gmail.com <mailto:yago...@gmail.com>





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to