<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 07/04/2016 11:14 AM, schmitt wrote:<br>
    </div>
    <blockquote
      cite="mid:696f29e9.121d7.155b6797b55.Coremail.schmitt_hk@163.com"
      type="cite">
      <div
        style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">Hi,</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">I am learning to configure
          keystone for tokenless  ssl x509  authorization, according to
          the document: <a moz-do-not-send="true"
href="http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html."
_src="http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html.">http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html.</a>
        </div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">when making self-signed
          certificate with command openssl,</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">I don't know how to define
          issuer DN and subject DN for ssl x509.</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">Is it right as the
          following?</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">For example ,</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">If using  tokenless
          authorization between nova service and keystone,</div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">i define <span
            style="font-size: 14.6667px; line-height: 24.9333px;">issuer
            DN  like the following:</span></div>
      </div>
    </blockquote>
    It is just a mapping:  whatever you chose for the DN needs to be
    mappable to the username in Keystone.<br>
    The example has <span class="s2">"type"</span><span class="o">:</span>
    <span class="s2">"SSL_CLIENT_S_DN_CN"  So if the </span><span
      class="s2"><span class="s2">SSL_CLIENT_S_DN_CN</span> is </span><font
      face="Calibri, sans-serif"><span style="font-size: 14.6667px;
        line-height: 24.9333px;"><a class="moz-txt-link-abbreviated" href="mailto:schmitt@openstack.com">schmitt@openstack.com</a> then the username
        needs to be </span></font><font face="Calibri, sans-serif"><span
        style="font-size: 14.6667px; line-height: 24.9333px;"><a class="moz-txt-link-abbreviated" href="mailto:schmitt@openstack.com">schmitt@openstack.com</a>.<br>
        <br>
        There are many attributes you can use for mapping.  Here is a
        decent summary:<br>
        <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Environment_Variables">http://www.freeipa.org/page/Environment_Variables</a><br>
      </span></font><br>
    <br>
    <blockquote
      cite="mid:696f29e9.121d7.155b6797b55.Coremail.schmitt_hk@163.com"
      type="cite">
      <div
        style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
        <div style="margin: 0in 0in 0.0001pt;"><span style="font-family:
            Calibri, sans-serif; font-size: 14.6667px; line-height:
            24.9333px;">E=</span><font face="Calibri, sans-serif"><span
              style="font-size: 14.6667px; line-height: 24.9333px;"><a class="moz-txt-link-abbreviated" href="mailto:schmitt@openstack.com">schmitt@openstack.com</a></span></font></div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">CN=schmitt</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">OU=keystone</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">O=openstack</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">L=Sunnyvale</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">S=California</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">C=US</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;">and define subject DN like the following:</div>
        <div style="margin: 0in 0in 0.0001pt; font-family: Calibri,
          sans-serif;"><span style="line-height: 24.9333px; font-size:
            14.6667px;">E=nova</span><font style="line-height: 1.7;"
            face="Calibri, sans-serif"><span style="font-size:
              14.6667px; line-height: 24.9333px;">@openstack.com</span></font></div>
        <div style="margin: 0in 0in 0.0001pt;">
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">CN=nova          #nova
            user defined in the configuration item
            [keystone_authtoken]file“/etc/nova/nova.conf”</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">OU=default</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">O=defalult</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">L=Sunnyvale</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">S=California</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">C=US</div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;"><br>
          </div>
          <div style="font-family: Calibri, sans-serif; line-height:
            23.8px; margin: 0in 0in 0.0001pt;">Also,is there something
            special between subject DN and openstack service?</div>
        </div>
        <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
          font-family: Calibri, sans-serif;">Thanks & Regards,</div>
        <p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size:
          11pt; font-family: Calibri, sans-serif;"><o:p></o:p></p>
        <p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size:
          11pt; font-family: Calibri, sans-serif;">schmitt</p>
      </div>
      <br>
      <br>
      <span title="neteasefooter">
        <p> </p>
      </span><br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to     : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>