On Thu, 12 May 2016, Jan Cholasta wrote:
On 11.5.2016 10:52, Martin Kosek wrote:
On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add:
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional

you can try commands in "ipa console" it contains initialized API, just
call api.Command.<your-favorite-command>()

API.txt provides the same information as API browser, but browser looks
better :)

Feel free to ask anything, if you identified gaps in docs which are hard
to understand for non-IPA developer feel free report it, or feel free to
create howTo in freeipa.org page.

Thanks for the pointers. I'm looking at automating some user and group
additions, group editing, etc.  Am I right in assuming that anything that uses
the api.Command.<some_command> will require a kinit <user> before it is run,
even if it is via the Python API? If I want to use a user/pass from the script
itself (and not have a shell script which does kinit, then fires off my Python
script) would I be better off hitting the web API with sessions and JSON-RPC as
detailed here:


Put another way, since I want to hit the API from a system that might not have
sssd installed, nor has joined the realm, I assume it would be *impossible* to
use api.Command.<something> as it relies on a Kerberos ticket?  To put it yet
another way: is there a way to hand a user/pass to the Python API and
authenticate that way.

The API itself can be hit with user/password, as noted in Alexander's blog. If
you want to use the actual Python API, Kerberos may be the only way. But I
think Jan or Petr may had some other (hacky) way to pass user+password there 

I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you?
It should be relatively easy to update IPA cli code to accept a jar with
a cookie and use that if Kerberos ccache is missing or empty.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to