On 05/13/2016 11:49 AM, Alexander Bokovoy wrote:
> On Thu, 12 May 2016, Jan Cholasta wrote:
>> On 11.5.2016 10:52, Martin Kosek wrote:
>>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
>>>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
>>>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>>>>>
>>>>> So for example for caacl-add:
>>>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
>>>>> description")
>>>>>
>>>>> you can try commands in "ipa console" it contains initialized API,
>>>>> just
>>>>> call api.Command.<your-favorite-command>()
>>>>>
>>>>> API.txt provides the same information as API browser, but browser
>>>>> looks
>>>>> better :)
>>>>>
>>>>> Feel free to ask anything, if you identified gaps in docs which are
>>>>> hard
>>>>> to understand for non-IPA developer feel free report it, or feel
>>>>> free to
>>>>> create howTo in freeipa.org page.
>>>>
>>>> Thanks for the pointers. I'm looking at automating some user and group
>>>> additions, group editing, etc.  Am I right in assuming that anything
>>>> that uses
>>>> the api.Command.<some_command> will require a kinit <user> before it
>>>> is run,
>>>> even if it is via the Python API? If I want to use a user/pass from
>>>> the script
>>>> itself (and not have a shell script which does kinit, then fires off
>>>> my Python
>>>> script) would I be better off hitting the web API with sessions and
>>>> JSON-RPC as
>>>> detailed here:
>>>>
>>>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>>>>
>>>>
>>>> Put another way, since I want to hit the API from a system that
>>>> might not have
>>>> sssd installed, nor has joined the realm, I assume it would be
>>>> *impossible* to
>>>> use api.Command.<something> as it relies on a Kerberos ticket?  To
>>>> put it yet
>>>> another way: is there a way to hand a user/pass to the Python API and
>>>> authenticate that way.
>>>
>>> The API itself can be hit with user/password, as noted in Alexander's
>>> blog. If
>>> you want to use the actual Python API, Kerberos may be the only way.
>>> But I
>>> think Jan or Petr may had some other (hacky) way to pass
>>> user+password there too.
>>
>> I don't think we support anything but Kerberos on the client side in
>> our Python API. It might be possible to somehow emulate what the web
>> UI does, but I haven't personally ever attempted to do that. Petr,
>> have you?
> It should be relatively easy to update IPA cli code to accept a jar with
> a cookie and use that if Kerberos ccache is missing or empty.
> 

I implemented it a year ago, but the patch was not merged:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to