[Openstack-operators] Keystone and Active Directory

Adam Young ayoung at redhat.com
Tue Jul 17 21:22:21 UTC 2012

For Kerberos, I would suggest the following:

1.  Run Keystone in Apache HTTP with mod_auth_kerberos.  It can fall 
back to userID/password.
2.  Modify the authentication mechanisms so that it checks REMOTE_USER 
the same way it currently checks USERID/password when providing a token

Cross realm trust is a nice-to-have,  but I suspect that it is not up to 
Keystone to implement, but rather something that needs to be set up 
correctly Kerberos wise.  Once Kerberos Auth works, cross realm should 
work, too.

More information about the Openstack-operators mailing list