FreeIPA web call from Python

This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.

Courtesy of Rich Megginson

Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.

import kerberos
import sys
import os
from requests.auth import AuthBase
import requests
import json

class IPAAuth(AuthBase):
    def __init__(self, hostname, keytab):
        self.hostname = hostname
        self.keytab = keytab
        self.token = None


    def __call__(self, request):
        if not self.token:

        request.headers['Authorization'] = 'negotiate ' + self.token

        return request

    def refresh_auth(self):
        if self.keytab:
            os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
            LOG.warn('No IPA client kerberos keytab file given')
        service = "HTTP@" + self.hostname
        flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
            (_, vc) = kerberos.authGSSClientInit(service, flags)
        except kerberos.GSSError, e:
            LOG.error("caught kerberos exception %r" % e)
            raise e
            kerberos.authGSSClientStep(vc, "")
        except kerberos.GSSError, e:
            LOG.error("caught kerberos exception %r" % e)
            raise e
        self.token = kerberos.authGSSClientResponse(vc)

hostname, url, keytab, cacert = sys.argv[1:]

request = requests.Session()
request.auth = IPAAuth(hostname, keytab)
ipaurl = 'https://%s/ipa' % hostname
jsonurl = url % {'hostname': hostname}
request.headers.update({'Content-Type': 'application/json',
                        'Referer': ipaurl})
request.verify = cacert

myargs = {'method': 'dnsrecord_add',
          'params': [["", ""],
                     {'a_part_ip_address': ''}],
          'id': 0}
resp =, data=json.dumps(myargs))
print resp.json()

myargs = {'method': 'dnsrecord_find', 'params': [[""], {}], 'id': 0}
resp =, data=json.dumps(myargs))
print resp.json()

Run the script like this:

python ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt

One thought on “FreeIPA web call from Python

  1. Do you have example of integrating python kerberos with s4u2proxy? We have a python based HTTP middle tier. We need the middle tier to impersonate the client when connecting to backend database with pyodbc. Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *