On Thu, Oct 16, 2014 at 2:54 PM, Dave Walker <[email protected]> wrote:
> Hi Steve, > > Thanks for your response. I am talking generally about the external > auth support. One use case is Kerberos, but for the sake of argument > this could quite easily be Apache Basic auth. The point is, we have > current support for entrusting AuthN outside of Keystone. > > What I was trying to outline is that it seems that the current design > of external auth is that keystone is not in the auth pipeline as we > trust auth at the edge. However, we then do additional auth within > keystone. > > With external auth and SQL, we drop the user provided username and > password on the floor and use what was provided in REMOTE_USER (set by > the webserver). > > Therefore the check as it currently stands in SQL is basically 'is > this username in the database'. The LDAP plugin does Authentication > via username and password, which is clearly not sufficient for > external auth. The LDAP plugin could be made to check in a similar > manner to SQL 'is this a valid user' - but this would seem to be a > duplicate check, as we already did this at the edge. > > If the webserver granted access to keystone, the user has already been > checked to see if they are a valid user. However, your response seems > to suggest that current external auth should be formally deprecated? I may be missing something, but can you use the external auth method with the LDAP backend? -- David blog: http://www.traceback.org twitter: http://twitter.com/dstanek www: http://dstanek.com
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
