On 23/06/2022 13.30, Serge Krawczenko via FreeIPA-users wrote:
kinit -kt keytab file <user> ldapsearch -Q -Y GSSAPI -h localhostĀ <whatever i want> ipa <some commands>
This keytab file was generated for dedicated user
Obviously, kinit was required for ldap gssapi and ipa commands.
Actually kinit is not needed.
Any GSSAPI-enabled client can automatically acquire or refresh a TGT by other means. For example if you set the environment variable KRB5_CLIENT_KTNAME=/path/to/keytab then ldapsearch and ipa will acquire TGT for the first principal in the keytab if needed.
For extra security you can use gss-proxy and let it handle the keytab for you. You need a mapping (e.g. map keytab to effective uid) and set the env var GSS_USE_PROXY=yes for the command.
Christian