Hi Peter,
On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
My point is that I **don't** want to use the kinit.
You need to be authenticated to use ipa-getkeytab. There are two methods
of authentication available in ipa-getkeytab:
- use of an explicit LDAP bind DN credentials, typically 'cn=Directory Manager'
- use of Kerberos credentials
The latter obeys standard MIT Kerberos environmental variables so
client-initiated keytab-based authentication can be used as well. See
below for references in ansible-freeipa code.
I also looked in the API Browser and I couldn't find any relevant
option, so can someone tell me if there is an API call that I could use
in order to download a keytab?
There is no IPA API call for that. You are talking here to LDAP server,
not to an IPA API end-point.
If it doesn't, I will create an RFE for this since without an API
call,
we cannot create an ansible module for this.
I don't see how these two are related. Even with an IPA API call you
need authentication to happen first. If you look into ansible-freeipa
code, every module handles situation with missing credentials by calling
for a kinit. This is the same situation: you need to authenticate first
before calling for ipa-getkeytab.
ansible-freeipa already has support for keytab-based initialization
through standard MIT Kerberos environmental variables:
https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f...
Keytab-based authentication is available with all existing ansible roles
that implement IPA commands because the fallback to check for a keytab
happens in the valid_creds() method. So if you are going to create a new
role based on the existing code, it has already all required support for
keytabs. It even has FreeIPABaseModule helper class to simplify
implementation of new commands that handles authentication automatically
in __enter__() method.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland