As admin or automation engineer, I want to use FreeIPA API via Python bindings (ipalib) with password+username so that I can avoid having the machine configured for IPA realm, but still be able to use API from my python scripts for various reasons - testing, bulk add of users.
ipalib supports only GssAPI auth via KerbTransport class
ipalib would, in addition, support username+password auth (e.g. via new transport)
All versions till today (Nov 9, last released 4.7.1)
This would be much easier if we replace http.client stdlib package with python-requests.
We can do it with http.client as well. Just need to take few things into account:
# Set the remote host principal
Such approach would work for both kerberos and non-kerberos authentication against 4.5+ servers. For older servers we would need to ensure we authenticate against a more specific URL. FreeIPA 4.5+ servers accept authentication on any URL.
to comment on this ticket.