<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Run Keystone in Apache HTPD, use
Kerberos and the LDAP backend to talk to AD.<br>
<br>
<br>
On 05/14/2013 06:11 PM, Aaron Knister wrote:<br>
</div>
<blockquote
cite="mid:CAEufm7KNyFqkLr0axit+ehqax4PvMGNdoFWbvggj0D92vFyCWg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>*bump*<br>
<br>
</div>
Here's the tl;dr version:<br>
<br>
- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly
interested in the automatic mapping of existing LDAP groups to
roles/tenants within openstack.<br>
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be interested
in contributing this if it's on the roadmap and hasn't been done
yet.<br>
<div>- Are there plans to add support for auth plugins/external
au th to Horizon? As above, I'm interested in implementing
this if there's interest.<br>
</div>
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for
httpd external authentication) which would also eliminate the
credentials-in-environment-
<div dir="ltr">variables issue. Is using PKI for authentication
going to be supported? If so what's the status?<br>
<br>
</div>
<div>Am I perhaps posting this to the wrong list? I didn't get
any replies from my original post.<br>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
-Aaron<br>
</div>
<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, May 7, 2013 at 1:52 PM, Aaron
Knister <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi Everyone,<br>
<br>
</div>
I'm looking for feedback and input about
what other sites are doing for
authentication and authorization with
OpenStack.<br>
<br>
</div>
<div>
First, some background:<br>
</div>
<div><br>
</div>
I'm currently evaluating OpenStack (Grizzly),
specifically working on integration with
Active Directory. I'm unable to modify the
schema to allow groupOfNames as a SUP of
organizationalRole so I've implemented a
workaround using openldap and several of its
overlays backends to sit in front of AD. That
all works just fine, however I really would
like to be able to map AD groups to
roles/tenants. I suspect I'll end up writing
some code to do this-- shouldn't be too hard.
<br>
<br>
</div>
Also on the subject of Active Directory, it's a
show stopper for me to put un-encrypted AD
credentials in environment variables to then
pass to the various openstack CLI progs. My
ideal workaround would be to use Kerberos
authentication which I actually have working. I
setup keystone to run under apache based on this
documentation with some tweaks here and there: <br>
<br>
<a moz-do-not-send="true"
href="http://docs.openstack.org/developer/keystone/external-auth.html"
target="_blank">http://docs.openstack.org/developer/keystone/external-auth.html</a><br>
<br>
</div>
I created an openstack client auth plugin (based
on the VOMS auth plugin) using requests_kerberos
and this works well with the nova client, however
none of the other client tools, including horizon,
seem to support authentication plugins or the
external authentication concept in general.<br>
<br>
</div>
So, here are my questions:<br>
<br>
</div>
- How have other folks handled integration of
OpenStack with existing authN/authZ infrastructures?
I'm particularly interested in the automatic mapping
of existing LDAP groups to roles/tenants within
openstack.<br>
</div>
- Are there plans to add support for the auth plugins to
the *client modules and CLI tools going forward? I'd be
interested in contributing this if it's on the roadmap
and hasn't been done yet.<br>
</div>
<div>- Are there plans to add support for auth
plugins/external au th to Horizon? As above, I'm
interested in implementing this if there's interest.<br>
</div>
- I see vague references in the documentation/*client code
to using certificates for authentication (without the need
for httpd external authentication) which would also
eliminate the credentials-in-environment-variables issue.
Is using PKI for authentication going to be supported? If
so what's the status?<br>
<div><br>
</div>
<div>Thanks in advance!<span class="HOEnZb"><font
color="#888888"><br>
<br>
-Aaron<br>
</font></span></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</body>
</html>