On 11.5.2016 10:52, Martin Kosek wrote:
On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add:
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
description")

you can try commands in "ipa console" it contains initialized API, just
call api.Command.<your-favorite-command>()

API.txt provides the same information as API browser, but browser looks
better :)

Feel free to ask anything, if you identified gaps in docs which are hard
to understand for non-IPA developer feel free report it, or feel free to
create howTo in freeipa.org page.

Thanks for the pointers. I'm looking at automating some user and group
additions, group editing, etc.  Am I right in assuming that anything that uses
the api.Command.<some_command> will require a kinit <user> before it is run,
even if it is via the Python API? If I want to use a user/pass from the script
itself (and not have a shell script which does kinit, then fires off my Python
script) would I be better off hitting the web API with sessions and JSON-RPC as
detailed here:

https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

Put another way, since I want to hit the API from a system that might not have
sssd installed, nor has joined the realm, I assume it would be *impossible* to
use api.Command.<something> as it relies on a Kerberos ticket?  To put it yet
another way: is there a way to hand a user/pass to the Python API and
authenticate that way.

The API itself can be hit with user/password, as noted in Alexander's blog. If
you want to use the actual Python API, Kerberos may be the only way. But I
think Jan or Petr may had some other (hacky) way to pass user+password there 
too.

I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you?


Those are the questions I did not see addressed in the docs that I found.
There were lots of examples of invoking commands, but I never saw anything
about authenticating to the server before running the commands.

Thanks again for the pointers, and if there is documentation I missed, feel
free to point me in that direction.



--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to