<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:Courier;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:Tahoma;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:Tahoma;}
span.EmailStyle19
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Times New Roman""><o:p> </o:p></span></p>
<p class="MsoNormal">>Hi Robert,<o:p></o:p></p>
<p class="MsoNormal">><o:p> </o:p></p>
<p class="MsoNormal">> I saw your proposal about keystone middleware<o:p></o:p></p>
<p class="MsoNormal">>for Radius and OpenStack integration from the last year’s discussion,<o:p></o:p></p>
<p class="MsoNormal">><o:p> </o:p></p>
<p class="MsoNormal">>do you know about the progress in this area,<o:p></o:p></p>
<p class="MsoNormal">>maybe someone has already done the scalability evaluation?<o:p></o:p></p>
<p class="MsoNormal">> <o:p></o:p></p>
<p class="MsoNormal">>My idea atm is to use Radius with TripleO.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL">Hi Nikolay,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL">I guess you a referencing this reply I gave at some ploint ???<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL"><o:p> </o:p></span></p>
<p class="MsoNormal">> You can write your own keystone middleware to authenticate with.<o:p></o:p></p>
<p class="MsoNormal">> There is a nice doc about that here: <o:p></o:p></p>
<p class="MsoNormal">> <a href="http://docs.openstack.org/developer/keystone/external-auth.html">
http://docs.openstack.org/developer/keystone/external-auth.html</a><o:p></o:p></p>
<p class="MsoNormal">><o:p> </o:p></p>
<p class="MsoNormal">> Note that if you use external_auth as in the example it will only take over the authentication:<o:p></o:p></p>
<p class="MsoNormal">> The user will still need to exist in keystone and roles need to be assigned in the keystone backend.<o:p></o:p></p>
<p class="MsoNormal">><o:p> </o:p></p>
<p class="MsoNormal">> For a "fully integrated” solution you will have to look at LDAP afaik.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As I mentioned you can build your own login integration if you are comfortable with python.<o:p></o:p></p>
<p class="MsoNormal">The login integration part is super easy, just set a REMOTE_USER if an authentication succeeded.<o:p></o:p></p>
<p class="MsoNormal">The hard part is managing the users/groups in keystone. <o:p>
</o:p></p>
<p class="MsoNormal">You will need to write some kind of sync creating users/tenants and giving/revoking appropriate access in keystone.<o:p></o:p></p>
<p class="MsoNormal">I am not sure if anybody made this for radius and would be willing to share that.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">You might also want to search for/ look at keystone federation.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
<p class="MsoNormal">Robert van Leeuwen<o:p></o:p></p>
</div>
</body>
</html>