On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
> On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
>> since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>>
>> So for example for caacl-add:
>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
>> description")
>>
>> you can try commands in "ipa console" it contains initialized API, just
>> call api.Command.<your-favorite-command>()
>>
>> API.txt provides the same information as API browser, but browser looks
>> better :)
>>
>> Feel free to ask anything, if you identified gaps in docs which are hard
>> to understand for non-IPA developer feel free report it, or feel free to
>> create howTo in freeipa.org page.
> 
> Thanks for the pointers. I'm looking at automating some user and group 
> additions, group editing, etc.  Am I right in assuming that anything that 
> uses 
> the api.Command.<some_command> will require a kinit <user> before it is run, 
> even if it is via the Python API? If I want to use a user/pass from the 
> script 
> itself (and not have a shell script which does kinit, then fires off my 
> Python 
> script) would I be better off hitting the web API with sessions and JSON-RPC 
> as 
> detailed here:
> 
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
> 
> Put another way, since I want to hit the API from a system that might not 
> have 
> sssd installed, nor has joined the realm, I assume it would be *impossible* 
> to 
> use api.Command.<something> as it relies on a Kerberos ticket?  To put it yet 
> another way: is there a way to hand a user/pass to the Python API and 
> authenticate that way.

The API itself can be hit with user/password, as noted in Alexander's blog. If
you want to use the actual Python API, Kerberos may be the only way. But I
think Jan or Petr may had some other (hacky) way to pass user+password there 
too.

> Those are the questions I did not see addressed in the docs that I found.  
> There were lots of examples of invoking commands, but I never saw anything 
> about authenticating to the server before running the commands.
> 
> Thanks again for the pointers, and if there is documentation I missed, feel 
> free to point me in that direction.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to