[openstack-dev] [Keystone] external AuthN Identity Backend

Adam Young ayoung at redhat.com
Mon Oct 20 20:31:27 UTC 2014


On 10/16/2014 03:18 PM, Dave Walker wrote:
> On 16 October 2014 20:07, David Stanek <dstanek at dstanek.com> wrote:
> <SNIP>
>> I may be missing something, but can you use the external auth method with
>> the LDAP backend?
>>
> No, as the purpose of the LDAP backend is to validate user/pass
> combination are valid.  With the external auth plugin, these are not
> provided to keystone (and may not even exist).  If they did exist, we
> would be doing auth at the edge and at the backend - which seems
> needlessly expensive.
>
> --
> Kind Regards,
> Daviey Walker
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
The short of it  is that what you are describing is handled by Federation.

I think that there is some confusing in the processing of an authN/authZ 
request which we call "create a token"

Here's how I would expect it to work in a Kerberos case (the archetype 
for external) before the use of Federation

1.  mod_auth_kerb authenticates the user and sets REMOTE_USER before 
calling the Keystone WSGI app
2.  Keystone accepts REMOTE_USER and looks up the user in LDAP to get groups
3.  Userid and Groups are used to  fetch roles to populate the token

We can also use the OSand mod_lookup_identity to get us Groups:  see 
this write up for how to use Federation with SSSD

http://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/

That is old and needs to be updated, but the concepts are the same.


With Federation, you provide a mapping and a bunch of env vars to the 
Keystone server, and there is no need to persist the user in the user table.




More information about the OpenStack-dev mailing list