<div dir="ltr"><div>Thanks Adam. I was able to get that far after a *lot* of headache. AD's typical schema doesn't map to what OpenStack is expecting, particularly as far as the domain_id attribute is concerned.<br>
<br><br></div>When running Keystone under Apache HTTPD how does one use horizon?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 15, 2013 at 3:57 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Run Keystone in Apache HTPD, use
Kerberos and the LDAP backend to talk to AD.<div><div class="h5"><br>
<br>
<br>
On 05/14/2013 06:11 PM, Aaron Knister wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>*bump*<br>
<br>
</div>
Here's the tl;dr version:<br>
<br>
- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly
interested in the automatic mapping of existing LDAP groups to
roles/tenants within openstack.<br>
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be interested
in contributing this if it's on the roadmap and hasn't been done
yet.<br>
<div>- Are there plans to add support for auth plugins/external
au th to Horizon? As above, I'm interested in implementing
this if there's interest.<br>
</div>
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for
httpd external authentication) which would also eliminate the
credentials-in-environment-
<div dir="ltr">variables issue. Is using PKI for authentication
going to be supported? If so what's the status?<br>
<br>
</div>
<div>Am I perhaps posting this to the wrong list? I didn't get
any replies from my original post.<br>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
-Aaron<br>
</div>
<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, May 7, 2013 at 1:52 PM, Aaron
Knister <span dir="ltr"><<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi Everyone,<br>
<br>
</div>
I'm looking for feedback and input about
what other sites are doing for
authentication and authorization with
OpenStack.<br>
<br>
</div>
<div>
First, some background:<br>
</div>
<div><br>
</div>
I'm currently evaluating OpenStack (Grizzly),
specifically working on integration with
Active Directory. I'm unable to modify the
schema to allow groupOfNames as a SUP of
organizationalRole so I've implemented a
workaround using openldap and several of its
overlays backends to sit in front of AD. That
all works just fine, however I really would
like to be able to map AD groups to
roles/tenants. I suspect I'll end up writing
some code to do this-- shouldn't be too hard.
<br>
<br>
</div>
Also on the subject of Active Directory, it's a
show stopper for me to put un-encrypted AD
credentials in environment variables to then
pass to the various openstack CLI progs. My
ideal workaround would be to use Kerberos
authentication which I actually have working. I
setup keystone to run under apache based on this
documentation with some tweaks here and there: <br>
<br>
<a href="http://docs.openstack.org/developer/keystone/external-auth.html" target="_blank">http://docs.openstack.org/developer/keystone/external-auth.html</a><br>
<br>
</div>
I created an openstack client auth plugin (based
on the VOMS auth plugin) using requests_kerberos
and this works well with the nova client, however
none of the other client tools, including horizon,
seem to support authentication plugins or the
external authentication concept in general.<br>
<br>
</div>
So, here are my questions:<br>
<br>
</div>
- How have other folks handled integration of
OpenStack with existing authN/authZ infrastructures?
I'm particularly interested in the automatic mapping
of existing LDAP groups to roles/tenants within
openstack.<br>
</div>
- Are there plans to add support for the auth plugins to
the *client modules and CLI tools going forward? I'd be
interested in contributing this if it's on the roadmap
and hasn't been done yet.<br>
</div>
<div>- Are there plans to add support for auth
plugins/external au th to Horizon? As above, I'm
interested in implementing this if there's interest.<br>
</div>
- I see vague references in the documentation/*client code
to using certificates for authentication (without the need
for httpd external authentication) which would also
eliminate the credentials-in-environment-variables issue.
Is using PKI for authentication going to be supported? If
so what's the status?<br>
<div><br>
</div>
<div>Thanks in advance!<span><font color="#888888"><br>
<br>
-Aaron<br>
</font></span></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>