Start server in a separate shell session.

    $ FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0

Reset any cookies and kerberos tickets.

    $ kdestroy -A
    $ rm ~/cookiejar.txt

Try visiting protected page without authorization.

    $ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
    requires session

Get kerberos ticket and then visit kerberos login url.

    $ kinit ${USER}
    $ klist
    Ticket cache: FILE:/tmp/krb5cc_960600001_Hjgmv7lby2
    Default principal: bgstack15@IPA.EXAMPLE.COM
    
    Valid starting     Expires            Service principal
    06/20/21 16:04:10  06/21/21 16:04:07  krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM
    06/20/21 16:04:15  06/21/21 16:04:07  HTTP/d2-03a.ipa.example.com@IPA.EXAMPLE.COM
    
    $ curl -L http://d2-03a.ipa.example.com:5000/login/kerberos --negotiate -u ':' -b ~/cookiejar.txt -c ~/cookiejar.txt
    <meta http-equiv="Refresh" content="1; url=/protected/">success with kerberos

Visit protected page now that we have a session.

    $ cat ~/cookiejar.txt 
    # Netscape HTTP Cookie File
    # https://curl.se/docs/http-cookies.html
    # This file was generated by libcurl! Edit at your own risk.

    d2-03a.ipa.example.com	FALSE	/	FALSE	0	user	"bgstack15@IPA.EXAMPLE.COM"
    d2-03a.ipa.example.com	FALSE	/	FALSE	0	type	kerberos
    d2-03a.ipa.example.com	FALSE	/	FALSE	0	timestamp	2021-06-20T20:06:15Z
    #HttpOnly_d2-03a.ipa.example.com	FALSE	/	FALSE	1624219691	session	eyJfcGVybWFuZW50Ijp0cnVlLCJlbmRfdGltZSI6IjIwMjEtMDYtMjBUMjA6MDY6MTVaIiwidXNlciI6ImJnaXJ0b25ASVBBLlNNSVRIMTIyLkNPTSJ9.YM-fsw.ZeI4ec-d7D64IEJ9Ab4RfpXfLt4

    $ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
    <html>
    <title>View Session Cookie</title>
    Username: bgstack15@IPA.EXAMPLE.COM<br/>
    Session expires: 2021-06-20T20:06:15Z<br/>
    Logged in through: kerberos
    </html>

For submitting to the form, pass in form data using fields `username`, `password`, and optionally `logintype` which can be defined within the application. An included option is `ldap`. Kerberos auth through the form is not supported.

    curl -L -X POST http://d2-03a:5000/login/ --data 'username=bgstack15&password=qwerty' -b ~/cookiejar.txt -c ~/cookiejar.txt

Basic auth can be provided as a POST to /login/basic/.

    $ curl -X POST -L http://d2-03a:5000/login/basic/ -b ~/cookiejar.txt -c ~/cookiejar.txt --user 'bgstack15'
    Enter host password for user 'bgstack15':
    <meta http-equiv="Refresh" content="1; url=/protected/">success with ldap
    $ curl -X POST -L http://d2-03a:5000/login/basic/ -b ~/cookiejar.txt -c ~/cookiejar.txt --header "Authorization: Basic $( printf '%s' "${username}:${pw}" | base64 )"
    <meta http-equiv="Refresh" content="1; url=/protected/">success with ldap

To set any settings that are currently supported by the /protected/settings/ page, you need to be a member of the ldap group "admins."

    $ curl -L http://d2-03a:5000/protected/settings/ -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST --data 'ldap_uri=ldaps://dns1.ipa.example.com'
    Settings updated:<ul><li>LDAP_URI</li></ul><form action='/protected/settings/' method='get'><input type='submit' value='Return to settings'/></form>