Alexander Bokovoy wrote:
On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
I'm trying to set up an account that will only have read permissions
to FreeIPA's user and host info to get some automated documentation
tasks running.  Basically I want to set up a cron job on a FreeIPA
server that will read info using the ipa command line tools like "ipa
user-find", "ipa user-show --all" and some of the host commands. After
it reads that info I can handle it in perl to maintain some
documentation requirements.  But I don't want to be forced into saving
a password anywhere along the way if I can avoid it.

Is there a way to set an account so it will be able to run those ipa
commands in a read-only state but not have any authentication
requirement?
No, it is not possible. On IPA server side all connections to the
management framework are always authenticated.

You can use an approach described in
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
to obtain authentication token and get requests to the IPA server with
that token. However, this implies you still need to authenticate first.

Another approach would be to create a service, obtain a keytab with a
key for that service and run your 'ipa ...' calls with the Kerberos
authentication based on that keytab. On reasonably recent systems you
can use GSS-Proxy to make sure your script is not having direct access
to the keytab and that would also make possible re-acquiring the ticket
on your behalf by GSS-Proxy.

For users, depending on configuration, you can use an anonymous LDAP bind and skip the ipa tool. I'm pretty sure that hosts require an authenticated user to read the entries.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to