Apart from Python, the FreeIPA API is also available through HTTPS exchanging requests in JSON-RPC format.

Basic usage#

Before sending requests to the FreeIPA server, we need to properly authenticate.

It is possible to authenticate both through Kerberos and password.

Kerberos authentication#

To authenticate via Kerberos, it is needed to have actual credentials in the credentials cache first. After this, we need to send a login request to the FreeIPA endpoint, https://$IPAHOSTNAME/ipa/session/login_kerberos.

$ export KRB5CCNAME=FILE:/path/to/ccache
$ export COOKIEJAR=/path/to/my.cookie
$ export IPAHOSTNAME=ipa-master.example.com
$ kinit -k -t /path/to/service.keytab service/ipa-client.example.com
$ curl -v  \
        -H referer:https://$IPAHOSTNAME/ipa  \
        -c $COOKIEJAR -b $COOKIEJAR \
        --cacert /etc/ipa/ca.crt  \
        --negotiate -u : \
        -X POST \

If authentication was successful, $COOKIEJAR will contain all session cookies returned from the server. We will need to pass this with every request we send to the server.

Password authentication#

For password authentication, we just need to post it over HTTPS.

$ export COOKIEJAR=/path/to/my.cookie
$ export IPAHOSTNAME=ipa-master.example.com
$ s_username=admin s_password=mYSecReT1P2 curl -v  \
        -H referer:https://$IPAHOSTNAME/ipa  \
        -H "Content-Type:application/x-www-form-urlencoded" \
        -H "Accept:text/plain"\
        -c $COOKIEJAR -b $COOKIEJAR \
        --cacert /etc/ipa/ca.crt  \
        --data "user=$s_username&password=$s_password" \
        -X POST \

Same as kerberos authentication, we will need to pass the sessions cookies with every request.

Request and Response format#

A JSON-RPC request consists of three properties:

  • method: A string containing the name of the name that will be called.

  • params: the array of parameters for the command.

  • id: the request id, it can be of any type, the response will match it.

The response received from the server consists of four properties:

  • result: The returned Object from the command. If the command failed, this will be null.

  • principal: The Kerberos principal under which identity the command was performed.

  • error: An Error object containing information about the command if it failed. If it succeeded, this will be null.

  • ìd: An ID matching the request this response is replying to.

Sending a request#

Requests should be sent to the API endpoint https://$IPAHOSTNAME/ipa/session/json over HTTPS. The content type must be set to application/json and session cookies obtained when authentication must be passed with the request.

An example request for the user_find command would be:

curl -v  \
    -H referer:https://$IPAHOSTNAME/ipa  \
        -H "Content-Type:application/json" \
        -H "Accept:applicaton/json"\
        -c $COOKIEJAR -b $COOKIEJAR \
        --cacert /etc/ipa/ca.crt  \
        -d  '{"method":"user_find","params":[[""],{}],"id":0}' \
        -X POST \

An easy way to understand how IPA requests are built is via the CLI, by passing the -vv option to an IPA command.

$ ipa -vv user-find
ipa: INFO: Request: {
    "id": 0,
    "method": "user_find/1",
    "params": [
            "version": "2.251"


Converting JSON-RPC requests to Python#

FreeIPA provides methods to convert JSON-RPC requests to Python format. This is included in the freeipa-python-ipaserver package in Fedora.

from ipaserver.rpcserver import jsonserver

json_request = '{"method":"user_find","params":[[""],{}],"id":0}'
j = jsonserver(api) # `api` is the initialized IPA API object

(name, args, opts, response_id) = j.unmarshal(json_request)

result = api.Command[name](*args, **opts)

Reporting issues#

To report issues related to API usage, they should be reproducible using the API through Python, in order to discard errors related to misconstruction of JSON-RPC requests. These requests can be converted to Python using the steps mentioned earlier.