On Thu, 2014-02-27 at 08:41 -0700, Rich Megginson wrote: > On 02/27/2014 06:19 AM, Rob Crittenden wrote: > > Rich Megginson wrote: > >> On 02/26/2014 03:48 PM, Simo Sorce wrote: > >>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote: > >>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote: > >>>>> Rich Megginson wrote: > >>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote: > >>>>>>> Rich Megginson wrote: > >>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote: > >>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote: > >>>>>>>>>> I'm working on adding support for freeipa DNS to openstack > >>>>>>>>>> designate > >>>>>>>>>> (DNSaaS). I am assuming I need to use RPC (XML? JSON? > >>>>>>>>>> REST?) to > >>>>>>>>>> communicate with freeipa. Is there documentation about how to > >>>>>>>>>> construct > >>>>>>>>>> and send RPC messages? > >>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported" > >>>>>>>>> (read: documented), though it's extremely unlikely to change. > >>>>>>>>> If you need an example, run any ipa command with -vv, this will > >>>>>>>>> print > >>>>>>>>> out the request & response. > >>>>>>>>> API.txt in the source tree lists all the commands and params. > >>>>>>>>> This blog post still applies (but be sure to read the update > >>>>>>>>> about > >>>>>>>>> --cacert): > >>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Ok. Next question is - how does one do the equivalent of the curl > >>>>>>>> command in python code? > >>>>>>> Here is a pretty stripped-down way to add a user. Other commands > >>>>>>> are > >>>>>>> similar, you just may care more about the output: > >>>>>>> > >>>>>>> from ipalib import api > >>>>>>> from ipalib import errors > >>>>>>> > >>>>>>> api.bootstrap(context='cli') > >>>>>>> api.finalize() > >>>>>>> api.Backend.xmlclient.connect() > >>>>>>> > >>>>>>> try: > >>>>>>> api.Command['user_add'](u'testuser', > >>>>>>> givenname=u'Test', sn=u'User', > >>>>>>> loginshell=u'/bin/sh') > >>>>>>> except errors.DuplicateEntry: > >>>>>>> print "user already exists" > >>>>>>> else: > >>>>>>> print "User added" > >>>>>>> > >>>>>> How would one do this from outside of ipa? If ipalib is not > >>>>>> available? > >>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what > >>>>> protocol you want to use) and issue one request there. This requires > >>>>> Kerberos authentication. The response will include a cookie which you > >>>>> should either ignore or store safely (like in the kernel keyring). > >>>>> Using the cookie will significantly improve performance. > >>>> This is for the ipa dns backend for designate. I'm assuming I will > >>>> either be using a keytab, or perhaps the new proxy? > >>>> > >>>> At any rate, I have to do everything in python - including the kinit > >>>> with the keytab. > >>> Lok at rob's damon but you should *not* do a kinit, you should just use > >>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if > >>> the > >>> environment is configured (KRB5_KTNAME set correctly) then gssapi will > >>> automatically kinit for you under the hood. > >>> > >>>> I guess I'm really looking for specifics - I've seen > >>>> recommendations to > >>>> use the python libraries "requests" and "json". I don't know if > >>>> requests supports negotiate/kerberos. If not, is there a recommended > >>>> library to use? As this particular project will be part of openstack, > >>>> perhaps there is a more "openstack"-y library, or even something > >>>> built-in to openstack (oslo?). I think amqp support kerberos, so > >>>> perhaps there is some oslo.messaging thing that will do the http + > >>>> kerberos stuff. > >>> Afaik there is nothing that does kerberos in openstack, you'll have to > >>> introduce all that stuff. > >> > >> Egads - implementing openstack-wide kerberos client libraries in order > >> to add an ipa dns backend to designate. > >> > >> Rob, need any help with your proxy? > > > > Well, something occurred to me this morning. You need SSL on top of > > this too, which means you need the IPA CA. The easiest way to get that > > is to enroll the designate server as an IPA client. This pulls in the > > freeipa-python package which gives you ipalib, so no reinventing the > > wheel required. > > I'm trying to use python-kerberos to do auth with a keytab > (KRB5_KTNAME), without first doing a kinit from the command line. It is > not working. > > Does anyone know how I can do client side kerberos auth with a keytab in > python without first doing a kinit?
Ping me privately if you can't make it work and we'll try to debug why. Simo -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel