[openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

Nathan Kinder nkinder at redhat.com
Sun Oct 19 02:13:19 UTC 2014 


On 10/18/2014 08:43 AM, lohit.valleru wrote:
> Hello,
> 
> Thank you for posting this issue to openstack-dev. I had posted this on the
> openstack general user list and was waiting for response.
> 
> May i know, if we have any progress regarding this issue.
> 
> I am trying to use external HTTPD authentication with kerberos and LDAP
> identity backend, in Havana.
> 
> I think, few things have changed with Openstack Icehouse release and
> Keystone 0.9.0 on CentOS 6.5.
> 
> Currently I face a similar issue to yours : I get a full username with
> domain as REMOTE_USER from apache, and keystone tries to search LDAP  along
> with my domain name. ( i have not mentioned any domain information to
> keystone. i assume it is called 'default', while my domain is: example.com )
> 
> I see that - External Default and External Domain are no longer supported by
> keystone but intstead - 
> 
> keystone.auth.plugins.external.DefaultDomain or
> external=keystone.auth.plugins.external.Domain are valid as of now.
> 
> I also tried using keystone.auth.plugins.external.kerberos after checking
> the code, but it does not make any difference.
> 
> For example:
> 
> If i authenticate using kerberos with : lohit.valleru at example.com. I see the
> following in the logs.
> 
> DEBUG keystone.common.ldap.core [-] LDAP search:
> dn=ou=People,dc=example,dc=come, scope=1,
> query=(&(uid=lohit.valleru at example.com)(objectClass=posixAccount)),
> attrs=['mail', 'userPassword', 'enabled', 'uid'] search_s
> /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:807
> 2014-10-18 02:34:36.459 5592 DEBUG keystone.common.ldap.core [-] LDAP unbind
> unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:777
> 2014-10-18 02:34:36.460 5592 WARNING keystone.common.wsgi [-] Authorization
> failed. Unable to lookup user lohit.valleru at example.com from 172.31.41.104
> 
> Also, i see that keystone always searches with "uid", no matter what i enter
> as a mapping value for userid/username in keystone.conf . I do not
> understand if this is a bug or limitation. ( The above logs show that they
> are not able to find uid with lohit.valleru at example.com since LDAP contains
> uid without domain name)

Do you have more details on what your mapping is configured like?  There
have been some changes around this area in Juno, but it's still possible
that there is some sort of bug here.
> 
> May i know, how do i request keystone to split REMOTE_USER? Do i need to
> mention default domain and sync with database in order for this to work?

REMOTE_USER is set to the full user principal name, which incudes the
kerberos realm.  Are you using mod_auth_kerb?  If so, you can set the
following in your httpd config to split the realm off of the user principal:

  KrbLocalUserMapping On

> 
> Also, May i know - what modifications do i need to do to Havana to disable
> username and password authentication, but instead use external
> authentication such as Kerberos/REMOTE_USER.
> 
> Is anyone working on these scenarios? or do we have any better solutions?

There is work going on to make Kerberos a more pracitical solution,
including a Kerberos auth plugin for Keystone:

  https://review.openstack.org/123614
> 
> I have read about Federation and Shibboleth authentication, but i believe
> that is not the same as REMOTE_USER/Kerberos authentication.

SAML federation uses REMOTE_USER, but it's quite a bit different than
what you are tryign do do since you still need to look up user
information via LDAP (it's all provided as a part of the SAML assertion
in the federation case).  There are efforts going on in this area, but I
think it's still a release out (Kilo hopefully).

Thanks,
-NGK

> 
> Thank you,
> 
> Lohit
> 
> Thank you,
> 
> Lohit
> 
> 
> 
> 
> --
> View this message in context: http://openstack.10931.n7.nabble.com/keystone-Support-for-external-authentication-i-e-REMOTE-USER-in-Havana-tp22185p55528.html
> Sent from the Developer mailing list archive at Nabble.com.
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list