On 2016-11-24 16:27, Adam Bishop wrote: > I'm writing a bit of code using ipalib directly, I'm a little stuck on > authentication though. > > It works fine if grab a Kerberos ticket with kinit then run the code > interactively, but I'd like to run this as a daemon which makes maintaining a > ticket tricky. > > What other options are there for authenticating to the API, avoiding calling > external tools like curl or kinit?
Hi Adam, for a service you can use a Kerberos keytab to authenticate. A keytab can be requested with ipa-getkeytab. The command will replace the password of the service with a random one. In order to use the keytab file from ipalib, simple set the env var KRB5_CLIENT_KTNAME  to the absolute filename of the keytab file. You can set it any time before you initialize FreeIPA's API. GSSAPI will automatically pick up the keytab and use the first principal to authenticate. Christian https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project