On 08/26/2014 11:43 AM, Yago Fernández Pinilla wrote:
I have checked what you told me.
What I would like to do is: having a user and a password, authenticate
against the kerberos server using a python script (not using kinit)
and then be able to access to the ticket that is returned back by
kerberos.
Access by what?
Can you please describe a full flow as you see it?
User -----> Service ------> Kerberos
The user sends user and password the first time to authenticate and
then the ticket.
I know that this can look a bit weird but in the environment that I'm
working on i need this.
Any idea how can I do this? I have checked many libraries in Python
but they don't seem like having what i need.
Thanks in advance
Yago
On Tue, Aug 26, 2014 at 9:37 AM, Yago Fernández Pinilla
<[email protected] <mailto:[email protected]>> wrote:
Thanks for the info!
I will work more on this and comment my progress
On Mon, Aug 25, 2014 at 5:48 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>> wrote:
Yago Fernández Pinilla wrote:
> I'm using FreeIpa 3.3.5. And according to what I saw, using
the API,
> seems to be the best option.
>
> For the time being I just want to request tickets and check
tickets.
>
> Is that possible?
> .
I'm still not sure what it is you're trying to do.
It's important to remember that IPA isn't a server itself, it is a
collection of services configured to work together towards a
common goal
(centralized identity). What we add is a management framework
on top to
(hopefully) make things easier. This is what our API does,
helps you
manage users, groups, etc.
A ticket is a Kerberos concept and you would obtain it
directly from the
KDC. The IPA API is not involved in that case.
If that is what you want to do then it involves the
python-krbV package
which is difficult at best to use and doesn't implement the entire
Kerberos stack. You can though do the equivalent of a kinit
using a
keytab doing something like:
import krbV
from ipalib import api
api.bootstrap(context='test')
api.finalize()
ccache_file = 'FILE:/tmp/host_ccache'
krbcontext = krbV.default_context()
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
principal = krbV.Principal(name=principal, context=krbcontext)
os.environ['KRB5CCNAME'] = ccache_file
ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=principal)
ccache.init(principal)
cache.init_creds_keytab(keytab=keytab, principal=principal)
You'll definitely want to do something differently with the
ccache file
than I'm showing here.
I threw in IPA client initialization here so you could use this to
prepare to do IPA API calls.
rob
>
>
> On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>
wrote:
>
> Yago Fernández Pinilla wrote:
> > I want to integrate it in other service. Is there any good
> documentation
> > about the APIs?
>
> We really need more details in order to help you.
>
> The API for IPA is not documented though once you get
the patterns down
> it is fairly straightforward.
>
> This of course is a completely separate issue of kinit
in python. What
> release of IPA on which distro(s) are you looking at?
>
> rob
>
> >
> > Thanks in advance
> >
> >
> > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
> >
> > On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago
Fernández
> Pinilla wrote:
> > > Hi,
> > >
> > > I would like to create a script in python that
does the same
> that
> > kinit, I
> > > don´t where to start.
> >
> > Why do you need this?
> >
> > --
> > Manage your subscription for the Freeipa-users
mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> >
> >
> >
> > --
> > Yago Fernández Pinilla
> > e-mail: [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
> >
> >
> >
>
>
>
>
> --
> Yago Fernández Pinilla
> e-mail: [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
>
--
Yago Fernández Pinilla
e-mail: [email protected] <mailto:[email protected]>
--
Yago Fernández Pinilla
e-mail: [email protected] <mailto:[email protected]>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
