#7760 ipalib: support auth with username+password
Opened a year ago by pvoborni. Modified a year ago

Request for enhancement

As admin or automation engineer, I want to use FreeIPA API via Python bindings (ipalib) with password+username so that I can avoid having the machine configured for IPA realm, but still be able to use API from my python scripts for various reasons - testing, bulk add of users.

Actual behavior

ipalib supports only GssAPI auth via KerbTransport class

Expected behavior

ipalib would, in addition, support username+password auth (e.g. via new transport)


All versions till today (Nov 9, last released 4.7.1)

This would be much easier if we replace http.client stdlib package with python-requests.

We can do it with http.client as well. Just need to take few things into account:

  • we use Kerberos ccache to store a session cookie there as a hidden entry. We should continue using that for non-Kerberos case as well. local use of krb5 functions is fine until we want to retrieve a service ticket.
  • This can be achieved by creating a non-Kerberos transport class to inherit from KerbTransport and override _set_auth_header(), _auth_complete() to not use gssapi calls in the new transport. Also, get_auth_info() can be refactored to call self._get_response() which would contain all the logic from # Set the remote host principal to the end of try: except: block.
  • In non-kerberos transport we then override self._get_response() into something that provides us a response that can be put into Authorization field in self._set_auth_header() base base auth.
  • self._auth_complete would need to support non-negotiate 'www-authenticate` variant.

Such approach would work for both kerberos and non-kerberos authentication against 4.5+ servers. For older servers we would need to ensure we authenticate against a more specific URL. FreeIPA 4.5+ servers accept authentication on any URL.

Login to comment on this ticket.