[openstack-dev] [Keystone] external AuthN Identity Backend

David Stanek dstanek at dstanek.com
Thu Oct 16 19:07:31 UTC 2014


On Thu, Oct 16, 2014 at 2:54 PM, Dave Walker <email at daviey.com> wrote:

> Hi Steve,
>
> Thanks for your response.  I am talking generally about the external
> auth support.  One use case is Kerberos, but for the sake of argument
> this could quite easily be Apache Basic auth.  The point is, we have
> current support for entrusting AuthN outside of Keystone.
>
> What I was trying to outline is that it seems that the current design
> of external auth is that keystone is not in the auth pipeline as we
> trust auth at the edge.  However, we then do additional auth within
> keystone.
>
> With external auth and SQL, we drop the user provided username and
> password on the floor and use what was provided in REMOTE_USER (set by
> the webserver).
>
> Therefore the check as it currently stands in SQL is basically 'is
> this username in the database'.  The LDAP plugin does Authentication
> via username and password, which is clearly not sufficient for
> external auth.  The LDAP plugin could be made to check in a similar
> manner to SQL 'is this a valid user' - but this would seem to be a
> duplicate check, as we already did this at the edge.
>
> If the webserver granted access to keystone, the user has already been
> checked to see if they are a valid user.  However, your response seems
> to suggest that current external auth should be formally deprecated?


I may be missing something, but can you use the external auth method with
the LDAP backend?

-- 
David
blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141016/41900da2/attachment.html>


More information about the OpenStack-dev mailing list