On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: > On Thu, 12 May 2016, Jan Cholasta wrote: >> On 11.5.2016 10:52, Martin Kosek wrote: >>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: >>>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >>>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >>>>> >>>>> So for example for caacl-add: >>>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >>>>> description") >>>>> >>>>> you can try commands in "ipa console" it contains initialized API, >>>>> just >>>>> call api.Command.<your-favorite-command>() >>>>> >>>>> API.txt provides the same information as API browser, but browser >>>>> looks >>>>> better :) >>>>> >>>>> Feel free to ask anything, if you identified gaps in docs which are >>>>> hard >>>>> to understand for non-IPA developer feel free report it, or feel >>>>> free to >>>>> create howTo in freeipa.org page. >>>> >>>> Thanks for the pointers. I'm looking at automating some user and group >>>> additions, group editing, etc. Am I right in assuming that anything >>>> that uses >>>> the api.Command.<some_command> will require a kinit <user> before it >>>> is run, >>>> even if it is via the Python API? If I want to use a user/pass from >>>> the script >>>> itself (and not have a shell script which does kinit, then fires off >>>> my Python >>>> script) would I be better off hitting the web API with sessions and >>>> JSON-RPC as >>>> detailed here: >>>> >>>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >>>> >>>> >>>> Put another way, since I want to hit the API from a system that >>>> might not have >>>> sssd installed, nor has joined the realm, I assume it would be >>>> *impossible* to >>>> use api.Command.<something> as it relies on a Kerberos ticket? To >>>> put it yet >>>> another way: is there a way to hand a user/pass to the Python API and >>>> authenticate that way. >>> >>> The API itself can be hit with user/password, as noted in Alexander's >>> blog. If >>> you want to use the actual Python API, Kerberos may be the only way. >>> But I >>> think Jan or Petr may had some other (hacky) way to pass >>> user+password there too. >> >> I don't think we support anything but Kerberos on the client side in >> our Python API. It might be possible to somehow emulate what the web >> UI does, but I haven't personally ever attempted to do that. Petr, >> have you? > It should be relatively easy to update IPA cli code to accept a jar with > a cookie and use that if Kerberos ccache is missing or empty. >
I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project