84 lines
2.7 KiB

# pyceo
work in progress
## Development
First, make sure that you have installed the
[syscom dev environment](
This will setup all of the services needed for ceo to work. You should clone
this repo in one of the dev environment containers.
Next, install and activate a virtualenv:
sudo apt install libkrb5-dev libsasl2-dev python3-dev
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
pip install -r dev-requirements.txt
## C bindings
Due to the lack of a decent Python library for Kerberos we ended up
writing our own C bindings using [cffi](
Make sure you compile the bindings:
cd ceo_common/krb5
This should create a file named ''.
This will be imported by other modules in ceo.
## Running the application
ceod is essentially a distributed application, with instances on different
hosts offering different services. For example, the ceod instance on mail
offers a service to subscribe people to mailing lists, and
the ceod instance on phosphoric-acid offers a service to create new members.
Therefore, you will need to run ceod on multiple hosts. Currently, those are
phosphoric-acid, mail and caffeine (in the dev environment, caffeine is
replaced by coffee).
To run ceod on a single host:
export FLASK_APP=ceod.api
export FLASK_ENV=development
flask run -h -p 9987
Sometimes changes you make in the source code don't show up while Flask
is running. Stop the flask app (Ctrl-C), run ``, then
restart the app.
## Interacting with the application
The client part of ceo hasn't been written yet, so we'll use curl to
interact with ceod for now.
ceod uses [SPNEGO]( for authentication,
and TLS for confidentiality and integrity. In development mode, TLS can be
First, make sure that your version of curl has been compiled with SPNEGO
curl -V
Your should see 'SPNEGO' in the 'Features' section.
The API also uses unconstrained Kerberos delegation when interacting with
the LDAP database. This means that the client obtains a forwarded TGT, then
sends that to ceod, which then uses it to interact with LDAP on the client's
behalf. There is a script called `` which can generate this
ticket for you.
Here's an example of making a request to an endpoint which writes to LDAP:
# Get a Kerberos TGT first
# Obtain a forwarded TGT
./ phosphoric-acid
# Make the request
curl --negotiate -u : --service-name ceod \
-H "X-KRB5-CRED: $(cat cred)" \
-d '{"uid":"test_1","cn":"Test One","program":"Math","terms":["s2021"]}' \
-X POST http://phosphoric-acid:9987/api/members