-
Notifications
You must be signed in to change notification settings - Fork 1
Documentation
Documentation for the Identity Policy Audit (IPA) JavaScript Object Notation (JSON) API.
This is largely undocumented. No automatic code documentation is generated when an IPA server is installed like with other large projects like this.
This documentation will most likely remain both minimal and stale.
The native 'jsonapi' types in this Puppet module use some clever meta-programming to talk directly to the endpoints. Some kind of explanation should exist for their behavior.
Json requests are from the python module with name "method_name" from the Ipa Python modules. These match the ipa-client commands named 'method-name'.
ipa -vv user-show admin from the mailing list is the json method user_show.
Connections are made through HTTPS to the /ipa/session/json URL for the server.
Method format is fixed for all options and follows roughly Python calling convention for functions:
- 'method': 'name_of_method'
- 'params': []
- an id tag, usually 0.
The parameters are an array containing:
- fixed array of positional parameters
- hash of named parameters (i.e., the json API is a direct map to the python internals.)
All json calls return a response hash:
ipa: INFO: Response: {}
The response contains:
- error, "error string if not null"
- id, a number which should match the request ID
- principal, a keberos principal used to authenticate (user@REALM format)
- result, a result hash that can be extremely large and deep structure, particularly for LDAP queries
- version, the API version string
The API endpoint is only available to authenticated users.
Using cURL from a registered host shows the complexity of the required login for a simple query.
curl -v -H referer:https://ipa.example.com/ipa -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:text/plain" -c cookies.jar -b cookies.jar --cacert /etc/ipa/ca.crt --data "user=my_username&password=SekritPassWord" -X POST https://$IPAHOSTNAME/ipa/session/login_password
This calls the API function to find all or one user. The example call is '{"method":"user_find","params":[[""],{}],"id":0} but most the boilerplate is mandatory for every call regardless of method.
curl -v -H referer:https://ipa.example.com/ipa -H "Content-Type:application/json" -H "Accept:applicaton/json" -c cookies.jar -b cookies.jar --cacert /etc/ipa/ca.crt -d '{"method":"user_find","params":[[""],{}],"id":0}' -X POST https://ipa.example.com/ipa/session/json
This will return a large list of LDAP user entries.
- IPA via cURL
- Talking to IPA with sessions
- RedHat mailing list on ipa-client debugging
- jonwuz original IPA module