Open Stack

Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk 
to AD.


On 05/14/2013 06:11 PM, Aaron Knister wrote:
> *bump*
>
> Here's the tl;dr version:
>
> - How have other folks handled integration of OpenStack with existing 
> authN/authZ infrastructures? I'm particularly interested in the 
> automatic mapping of existing LDAP groups to roles/tenants within 
> openstack.
> - Are there plans to add support for the auth plugins to the *client 
> modules and CLI tools going forward? I'd be interested in contributing 
> this if it's on the roadmap and hasn't been done yet.
> - Are there plans to add support for auth plugins/external au th to 
> Horizon? As above, I'm interested in implementing this if there's 
> interest.
> - I see vague references in the documentation/*client code to using 
> certificates for authentication (without the need for httpd external 
> authentication) which would also eliminate the 
> credentials-in-environment-
> variables issue. Is using PKI for authentication going to be 
> supported? If so what's the status?
>
> Am I perhaps posting this to the wrong list? I didn't get any replies 
> from my original post.
>
> Thanks!
>
> -Aaron
>
>
>
> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister at gmail.com 
> <mailto:aaron.knister at gmail.com>> wrote:
>
>     Hi Everyone,
>
>     I'm looking for feedback and input about what other sites are
>     doing for authentication and authorization with OpenStack.
>
>     First, some background:
>
>     I'm currently evaluating OpenStack (Grizzly), specifically working
>     on integration with Active Directory. I'm unable to modify the
>     schema to allow groupOfNames as a SUP of organizationalRole so
>     I've implemented a workaround using openldap and several of its
>     overlays backends to sit in front of AD. That all works just fine,
>     however I really would like to be able to map AD groups to
>     roles/tenants. I suspect I'll end up writing some code to do
>     this-- shouldn't be too hard.
>
>     Also on the subject of Active Directory, it's a show stopper for
>     me to put un-encrypted AD credentials in environment variables to
>     then pass to the various openstack CLI progs. My ideal workaround
>     would be to use Kerberos authentication which I actually have
>     working. I setup keystone to run under apache based on this
>     documentation with some tweaks here and there:
>
>     http://docs.openstack.org/developer/keystone/external-auth.html
>
>     I created an openstack client auth plugin (based on the VOMS auth
>     plugin) using requests_kerberos and this works well with the nova
>     client, however none of the other client tools, including horizon,
>     seem to support authentication plugins or the external
>     authentication concept in general.
>
>     So, here are my questions:
>
>     - How have other folks handled integration of OpenStack with
>     existing authN/authZ infrastructures? I'm particularly interested
>     in the automatic mapping of existing LDAP groups to roles/tenants
>     within openstack.
>     - Are there plans to add support for the auth plugins to the
>     *client modules and CLI tools going forward? I'd be interested in
>     contributing this if it's on the roadmap and hasn't been done yet.
>     - Are there plans to add support for auth plugins/external au th
>     to Horizon? As above, I'm interested in implementing this if
>     there's interest.
>     - I see vague references in the documentation/*client code to
>     using certificates for authentication (without the need for httpd
>     external authentication) which would also eliminate the
>     credentials-in-environment-variables issue. Is using PKI for
>     authentication going to be supported? If so what's the status?
>
>     Thanks in advance!
>
>     -Aaron
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130515/a838d717/attachment.html>