On Fri, 13 May 2016, Petr Vobornik wrote:
On 05/13/2016 11:49 AM, Alexander Bokovoy wrote:
On Thu, 12 May 2016, Jan Cholasta wrote:
On 11.5.2016 10:52, Martin Kosek wrote:
On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add:
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
description")

you can try commands in "ipa console" it contains initialized API,
just
call api.Command.<your-favorite-command>()

API.txt provides the same information as API browser, but browser
looks
better :)

Feel free to ask anything, if you identified gaps in docs which are
hard
to understand for non-IPA developer feel free report it, or feel
free to
create howTo in freeipa.org page.

Thanks for the pointers. I'm looking at automating some user and group
additions, group editing, etc.  Am I right in assuming that anything
that uses
the api.Command.<some_command> will require a kinit <user> before it
is run,
even if it is via the Python API? If I want to use a user/pass from
the script
itself (and not have a shell script which does kinit, then fires off
my Python
script) would I be better off hitting the web API with sessions and
JSON-RPC as
detailed here:

https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/


Put another way, since I want to hit the API from a system that
might not have
sssd installed, nor has joined the realm, I assume it would be
*impossible* to
use api.Command.<something> as it relies on a Kerberos ticket?  To
put it yet
another way: is there a way to hand a user/pass to the Python API and
authenticate that way.

The API itself can be hit with user/password, as noted in Alexander's
blog. If
you want to use the actual Python API, Kerberos may be the only way.
But I
think Jan or Petr may had some other (hacky) way to pass
user+password there too.

I don't think we support anything but Kerberos on the client side in
our Python API. It might be possible to somehow emulate what the web
UI does, but I haven't personally ever attempted to do that. Petr,
have you?
It should be relatively easy to update IPA cli code to accept a jar with
a cookie and use that if Kerberos ccache is missing or empty.


I implemented it a year ago, but the patch was not merged:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html
I can revive it. I think it brings sufficient value to get merged.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to