[Openstack] -[keystone] help configure keystone for token ssl x509 authorization

Adam Young ayoung at redhat.com
Thu Jul 28 01:11:55 UTC 2016


On 07/04/2016 11:14 AM, schmitt wrote:
> Hi,
> I am learning to configure keystone for tokenless  ssl x509 
>  authorization, according to the document: 
> http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html. 
>
> when making self-signed certificate with command openssl,
> I don't know how to define issuer DN and subject DN for ssl x509.
> Is it right as the following?
> For example ,
> If using  tokenless authorization between nova service and keystone,
> i define issuer DN  like the following:
It is just a mapping:  whatever you chose for the DN needs to be 
mappable to the username in Keystone.
The example has "type": "SSL_CLIENT_S_DN_CN"  So if the 
SSL_CLIENT_S_DN_CN is schmitt at openstack.com then the username needs to 
be schmitt at openstack.com.

There are many attributes you can use for mapping.  Here is a decent 
summary:
http://www.freeipa.org/page/Environment_Variables


> E=schmitt at openstack.com
> CN=schmitt
> OU=keystone
> O=openstack
> L=Sunnyvale
> S=California
> C=US
> and define subject DN like the following:
> E=nova at openstack.com
> CN=nova          #nova user defined in the configuration item 
> [keystone_authtoken]file“/etc/nova/nova.conf”
> OU=default
> O=defalult
> L=Sunnyvale
> S=California
> C=US
>
> Also,is there something special between subject DN and openstack service?
> Thanks & Regards,
>
> schmitt
>
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160727/2c2ca3c1/attachment.html>


More information about the Openstack mailing list