Talking to FreeIPA JSON web API via curl
One of the benefits of web APIs is that we can use command line tools to call them. FreeIPA is no different, but perhaps a hair trickier, as it combines the use of Kerberos with a strict JSON format. Getting it right took a little trial and error.
Precondition: run kinit with a valid user name.
Here’s the successful request to list all users:
curl -v \
-H "Content-Type:application/json" \
-H "Accept:applicaton/json"\
--negotiate -u : \
--cacert /etc/ipa/ca.crt \
-d '{"method":"user_find","params":[[""],{}],"id":0}' \
-X POST https://`hostname`/ipa/json
Lets take this by the numbers.
- curl command, plus the verbose option
- Add a header telling the server we are sending a JSON request
- Add a header telling the server we can accept JSON in the response
- Negoiate authentication. We fake out curl by telling it to use no userid:password in the -u option
- I am posting from a CLI on the server machine. This just uses the same ca cert file that the as web server uses. TODO: Figure out how to get this file from a remote machine.
- here is the json request. Note that all quotes must be escaped, as we are sending this from the command line. TODO: Figure out how to send it from a file.
- Use the HTTP verb post to the URL specified.
If you want to do this from a remote machine, you can get the ca.cert with:
curl -k https://$YOURHOST/ipa/config/ca.crt >> /tmp/ipa.ca.cert
and modify the portion of the curl command line from:
–cacert /etc/ipa/ca.crt
to
–cacert /tmp/ipa.ca.cert