<div dir="ltr">Thanks Adam. I don't think I asked the right question. I'm wondering how I get horizon to use the external auth when keystone is running behind apache.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, May 20, 2013 at 10:22 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 05/16/2013 11:29 AM, Aaron Knister
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks Adam. I was able to get that far after a *lot* of
headache. AD's typical schema doesn't map to what OpenStack is
expecting, particularly as far as the domain_id attribute is
concerned.<br>
</div>
</div>
</blockquote>
<br></div>
Sorry about that. I am not too fond of our Domain_id thing either,
and working to rectify:<div class="im"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<br>
<br>
</div>
When running Keystone under Apache HTTPD how does one use
horizon?<br>
</div>
</blockquote>
<br></div>
No change. You can report ports other that 5000/35357 for
Keystone's service catalog if you want to have Keystone serve on
443. Or, you can have apache listen on the usual keystone ports.
You will want Keystone on a separate machine from Horizon.<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, May 15, 2013 at 3:57 PM, Adam
Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Run Keystone in Apache HTPD, use Kerberos and the
LDAP backend to talk to AD.
<div>
<div><br>
<br>
<br>
On 05/14/2013 06:11 PM, Aaron Knister wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>*bump*<br>
<br>
</div>
Here's the tl;dr version:<br>
<br>
- How have other folks handled integration of
OpenStack with existing authN/authZ
infrastructures? I'm particularly interested in
the automatic mapping of existing LDAP groups to
roles/tenants within openstack.<br>
- Are there plans to add support for the auth
plugins to the *client modules and CLI tools going
forward? I'd be interested in contributing this if
it's on the roadmap and hasn't been done yet.<br>
<div>- Are there plans to add support for auth
plugins/external au th to Horizon? As above, I'm
interested in implementing this if there's
interest.<br>
</div>
- I see vague references in the
documentation/*client code to using certificates
for authentication (without the need for httpd
external authentication) which would also
eliminate the credentials-in-environment-
<div dir="ltr">variables issue. Is using PKI for
authentication going to be supported? If so
what's the status?<br>
<br>
</div>
<div>Am I perhaps posting this to the wrong list?
I didn't get any replies from my original post.<br>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
-Aaron<br>
</div>
<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, May 7, 2013 at
1:52 PM, Aaron Knister <span dir="ltr"><<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi Everyone,<br>
<br>
</div>
I'm looking for feedback and
input about what other sites
are doing for authentication
and authorization with
OpenStack.<br>
<br>
</div>
<div> First, some background:<br>
</div>
<div><br>
</div>
I'm currently evaluating
OpenStack (Grizzly),
specifically working on
integration with Active
Directory. I'm unable to modify
the schema to allow groupOfNames
as a SUP of organizationalRole
so I've implemented a workaround
using openldap and several of
its overlays backends to sit in
front of AD. That all works just
fine, however I really would
like to be able to map AD groups
to roles/tenants. I suspect I'll
end up writing some code to do
this-- shouldn't be too hard. <br>
<br>
</div>
Also on the subject of Active
Directory, it's a show stopper for
me to put un-encrypted AD
credentials in environment
variables to then pass to the
various openstack CLI progs. My
ideal workaround would be to use
Kerberos authentication which I
actually have working. I setup
keystone to run under apache based
on this documentation with some
tweaks here and there: <br>
<br>
<a href="http://docs.openstack.org/developer/keystone/external-auth.html" target="_blank">http://docs.openstack.org/developer/keystone/external-auth.html</a><br>
<br>
</div>
I created an openstack client auth
plugin (based on the VOMS auth
plugin) using requests_kerberos and
this works well with the nova
client, however none of the other
client tools, including horizon,
seem to support authentication
plugins or the external
authentication concept in general.<br>
<br>
</div>
So, here are my questions:<br>
<br>
</div>
- How have other folks handled
integration of OpenStack with existing
authN/authZ infrastructures? I'm
particularly interested in the automatic
mapping of existing LDAP groups to
roles/tenants within openstack.<br>
</div>
- Are there plans to add support for the
auth plugins to the *client modules and
CLI tools going forward? I'd be interested
in contributing this if it's on the
roadmap and hasn't been done yet.<br>
</div>
<div>- Are there plans to add support for
auth plugins/external au th to Horizon? As
above, I'm interested in implementing this
if there's interest.<br>
</div>
- I see vague references in the
documentation/*client code to using
certificates for authentication (without the
need for httpd external authentication)
which would also eliminate the
credentials-in-environment-variables issue.
Is using PKI for authentication going to be
supported? If so what's the status?<br>
<div><br>
</div>
<div>Thanks in advance!<span><font color="#888888"><br>
<br>
-Aaron<br>
</font></span></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>