On 12/19/2014 08:54 AM, Serafini, Adam wrote:

I am trying to write some software that communicates with the FreeIPA server from a remote client.

Using Adam Young's helpful blog (
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/), I am successfully able to run this curl on the FreeIPA server itself:

curl -v -H referer:https://myserver.net/ipa -H "Content-Type:application/json" -H "Accept:application/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"user_find","params":[[""],{}],"id":0}' -X POST https://myserver.net/ipa/json

But when I try and run an similar curl from my client workstation (with pre-requisite Kerberos setup):

curl -v -H referer:https://myworkstation.net/ipa -H "Content-Type:application/json" -H "Accept:application/json" --negotiate -u : --cacert /tmp/ca.crt -d '{"method":"user_find","params":[[""],{}],"id":0}' -X POST https://myserver.net/ipa/json

The following error is generated in the Apache logs:

KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment

Would anyone have any pointers to fix, or a place to start investigating? I am assuming there is configuration problem but I have no idea where to begin. I believe I've done all the Kerberos setup correctly, but it's hard to tell.

It seems that curl can't find kerberos ticket cache.
KRB5CCNAME is an environment variable that points to the location of the ticket cache. Try defining it for curl and see what happens. I suppose knit works fine from the client you try it on.

Kind regards,

This message (including any attachments) may contain information that is privileged or confidential. If you are not the intended recipient, please notify the sender and delete this email immediately from your systems and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy this email or any part of it if you are not the intended recipient

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to