On 12/19/2014 08:54 AM, Serafini, Adam wrote:
Hi,
I am trying to write some software that communicates with the FreeIPA
server from a remote client.
Using Adam Young's helpful blog (
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/),
I am successfully able to run this curl on the FreeIPA server itself:
curl -v -H referer:https://myserver.net/ipa -H
"Content-Type:application/json" -H "Accept:application/json"
--negotiate -u : --cacert /etc/ipa/ca.crt -d
'{"method":"user_find","params":[[""],{}],"id":0}' -X POST
https://myserver.net/ipa/json
But when I try and run an similar curl from my client workstation
(with pre-requisite Kerberos setup):
curl -v -H referer:https://myworkstation.net/ipa -H
"Content-Type:application/json" -H "Accept:application/json"
--negotiate -u : --cacert /tmp/ca.crt -d
'{"method":"user_find","params":[[""],{}],"id":0}' -X POST
https://myserver.net/ipa/json
The following error is generated in the Apache logs:
KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP
request environment
Would anyone have any pointers to fix, or a place to start
investigating? I am assuming there is configuration problem but I have
no idea where to begin. I believe I've done all the Kerberos setup
correctly, but it's hard to tell.
It seems that curl can't find kerberos ticket cache.
KRB5CCNAME is an environment variable that points to the location of the
ticket cache.
Try defining it for curl and see what happens. I suppose knit works fine
from the client you try it on.
Kind regards,
Adam
This message (including any attachments) may contain information that
is privileged or confidential. If you are not the intended recipient,
please notify the sender and delete this email immediately from your
systems and destroy all copies of it. You may not, directly or
indirectly, use, disclose, distribute, print or copy this email or any
part of it if you are not the intended recipient
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project