Dmitri Pal wrote:
On 02/26/2014 05:48 PM, Simo Sorce wrote:
On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
On 02/26/2014 03:22 PM, Rob Crittenden wrote:
Rich Megginson wrote:
On 02/26/2014 02:19 PM, Rob Crittenden wrote:
Rich Megginson wrote:
On 02/26/2014 08:53 AM, Petr Viktorin wrote:
On 02/26/2014 04:45 PM, Rich Megginson wrote:
I'm working on adding support for freeipa DNS to openstack
designate
(DNSaaS). I am assuming I need to use RPC (XML? JSON? REST?) to
communicate with freeipa. Is there documentation about how to
construct
and send RPC messages?
The JSON-RPC and XML-RPC API is still not "officially supported"
(read: documented), though it's extremely unlikely to change.
If you need an example, run any ipa command with -vv, this will
print
out the request& response.
API.txt in the source tree lists all the commands and params.
This blog post still applies (but be sure to read the update about
--cacert):
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
Ok. Next question is - how does one do the equivalent of the curl
command in python code?
Here is a pretty stripped-down way to add a user. Other commands are
similar, you just may care more about the output:
from ipalib import api
from ipalib import errors
api.bootstrap(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
try:
api.Command['user_add'](u'testuser',
givenname=u'Test', sn=u'User',
loginshell=u'/bin/sh')
except errors.DuplicateEntry:
print "user already exists"
else:
print "User added"
How would one do this from outside of ipa? If ipalib is not
available?
You'd need to go to either /ipa/xml or /ipa/json (depending on what
protocol you want to use) and issue one request there. This requires
Kerberos authentication. The response will include a cookie which you
should either ignore or store safely (like in the kernel keyring).
Using the cookie will significantly improve performance.
This is for the ipa dns backend for designate. I'm assuming I will
either be using a keytab, or perhaps the new proxy?
At any rate, I have to do everything in python - including the kinit
with the keytab.
Lok at rob's damon but you should *not* do a kinit, you should just use
gssapi (see python-kerberos) and do a gss_init_sec_context there, if the
environment is configured (KRB5_KTNAME set correctly) then gssapi will
automatically kinit for you under the hood.
Yes look at Rob's smart proxy and use a similar approach.
This is a little different since the smart proxy is directly using ipalib.
You'll need to use python-kerberos to do the GSSAPI work. Basically you
need to get a service ticket for the remote server using your TGT and
pass that in the HTTP Authorization header.
There was a patch floating around for python-requests to do Kerberos but
I'm not sure if it has been accepted upstream, or if it has if it is
generally available. That patch may have been converted into a separate
project, I found a repo at
https://github.com/requests/requests-kerberos. At a glance it looks like
this module does all the work for you.
To see how we do it, look in ipalib/rpc.py in the KerbTransport class,
specifically in get_host_info(). That shows the calls IPA makes to get
the information needed for the header, but this is for httplib.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
