[one-users] [Sunstone] Mixing password and X509 authentication

Tue, 10 Feb 2015 08:17:00 -0800 

Hello,

I would like to mix the authentication methods on Sunstone.

I created an X509 user[1] and the one* CLI are working with it.

According to the documentation[2], I need to switch Sunstone to “x509”,
but I thought that using “:auth: opennebula” permit to use whatever is
configured for the user.

I first try as explained in the documentation:

- set “:auth: x509” in sunstone

- install user certificate authority to “/etc/one/auth/certificates/”

- configure my nginx as describe in attachement

- install the user x509 certificate on my iceweasel 35.0.1 browser

When I access Sunstone, my browser ask me to choose my certificate but I
finish on login page with only a “Login” button plus the “Keep me logged
in” checkbox.

I should have miss some headers to add to my Requests.

Any hints?

Regards.

Footnotes: 
[1]  
http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html

[2]  
http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html#enabling-x509-auth-in-sunstone

-- 
Daniel Dehennin
Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF
Fingerprint: 3E69 014E 5C23 50E8 9ED6  2AAD CC1E 9E5B 7A6F E2DF


# Opennebula Sunstone
upstream sunstone {
         server 127.0.0.1:9869;
}

upstream onerpc {
         server 127.0.0.1:2633;
}

# Port 80 redirected to SSL
server {
        listen         80;
        server_name    nebula.example.net;

        location / {
                return 301 https://$host$request_uri?;
        }
}


# SSL reverse-proxy
server {
        listen 443 default_server;
        listen [::]:443 default_server ipv6only=on;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        ssl_client_certificate /etc/nginx/ssl/ca.crt;
        ssl_verify_client optional;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name nebula.example.net;

        access_log  /var/log/nginx/opennebula-sunstone-access.log;
        error_log  /var/log/nginx/opennebula-sunstone-error.log;

        client_max_body_size 5G;

        location / {
                try_files $uri @sunstone;
        }

        location /RPC2 {
                include proxy_params;
                proxy_pass http://onerpc;
        }

        location @sunstone {
                include proxy_params;
                proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
                proxy_set_header SSL_CLIENT_I_DN $ssl_client_i_dn;
                proxy_set_header SSH_CLIENT_VERIFY $ssl_client_verify;
                proxy_set_header SSH_CLIENT_CERT $ssl_client_cert;
                
                include ssl_parms;
                proxy_pass http://sunstone;
        }
}

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

Reply via email to