|
|
|
|
@ -94,22 +94,12 @@ curl -V |
|
|
|
|
``` |
|
|
|
|
Your should see 'SPNEGO' in the 'Features' section. |
|
|
|
|
|
|
|
|
|
The API also uses unconstrained Kerberos delegation when interacting with |
|
|
|
|
the LDAP database. This means that the client obtains a forwarded TGT, then |
|
|
|
|
sends that to ceod, which then uses it to interact with LDAP on the client's |
|
|
|
|
behalf. There is a script called `gen_cred.py` which can generate this |
|
|
|
|
ticket for you. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here's an example of making a request to an endpoint which writes to LDAP: |
|
|
|
|
```sh |
|
|
|
|
# Get a Kerberos TGT first |
|
|
|
|
kinit |
|
|
|
|
# Obtain a forwarded TGT |
|
|
|
|
./gen_cred.py phosphoric-acid |
|
|
|
|
# Make the request |
|
|
|
|
curl --negotiate -u : --service-name ceod \ |
|
|
|
|
-H "X-KRB5-CRED: $(cat cred)" \ |
|
|
|
|
curl --negotiate -u : --service-name ceod --delegation always \ |
|
|
|
|
-d '{"uid":"test_1","cn":"Test One","program":"Math","terms":["s2021"]}' \ |
|
|
|
|
-X POST http://phosphoric-acid:9987/api/members |
|
|
|
|
``` |
|
|
|
|
|
