On 2016-11-24 16:27, Adam Bishop wrote:
> I'm writing a bit of code using ipalib directly, I'm a little stuck on 
> authentication though.
> 
> It works fine if grab a Kerberos ticket with kinit then run the code 
> interactively, but I'd like to run this as a daemon which makes maintaining a 
> ticket tricky.
> 
> What other options are there for authenticating to the API, avoiding calling 
> external tools like curl or kinit?

Hi Adam,

for a service you can use a Kerberos keytab to authenticate. A keytab
can be requested with ipa-getkeytab. The command will replace the
password of the service with a random one.

In order to use the keytab file from ipalib, simple set the env var
KRB5_CLIENT_KTNAME [1] to the absolute filename of the keytab file. You
can set it any time before you initialize FreeIPA's API. GSSAPI will
automatically pick up the keytab and use the first principal to
authenticate.

Christian

https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to