<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Keystone has the opportunity to work as an SSO there was a project on that and does have a plugin for LDAP not sure if this is something you are looking for. Also not sure if the SSO is on hold or still under dev. </div><div><br></div><div>Remo<br><br><div style="orphans: auto; widows: auto;">Inviato da iPhone (<span style="background-color: rgba(255, 255, 255, 0);">)</span></div></div><div><br>Il giorno Jan 21, 2014, alle ore 5:58, Joe Topjian <<a href="mailto:joe@topjian.net">joe@topjian.net</a>> ha scritto:<br><br></div><blockquote type="cite"><div><div dir="ltr">Hello,<div><br></div><div><div>One of the new features advertised in the Havana release of Keystone was external authentication via REMOTE_USER. I'm beginning to assume that I should take that at face value: Keystone has external auth, but that's it. OpenStack as a whole cannot currently utilize it.</div>
<div><br></div><div>Is this an incorrect assumption?</div><div><br></div><div>For example, I set up Keystone behind Apache just like the developer docs say. Everything worked.</div><div><br></div><div>Now I wanted to test external authentication. Just for practice, I tried http basic auth. I was successful in obtaining a token:</div>
<div><br></div><div>curl --user joe:foobar -d '{"auth":{}}' -H "Content-type: application/json" <a href="http://localhost:5000/v2.0/tokens">http://localhost:5000/v2.0/tokens</a><br></div><div><br>
</div><div>But I don't think it's possible to use the command line tools (nova, glance et al) to work with a single token. I also don't see how Horizon can utilize an http-auth protected Keystone without modification.</div>
<div><br></div><div>Am I wrong? If so, can someone point me to, at least, a proof of concept if not a production example?</div><div><br></div></div><div>Is it correct to say that if I want Keystone to authenticate users against an unsupported/custom database while still retaining compatibility with all other OpenStack components, then I should write a custom backend such as described here:</div>
<div><br></div><div><a href="https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/">https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/</a><br>
</div><div><br></div><div><br></div><div>Thanks,</div><div>Joe</div></div>
!DSPAM:1,52de8124286791426485421!
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></span><br><span>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span></span><br><span></span><br><span>!DSPAM:1,52de8124286791426485421!</span><br></div></blockquote></body></html>