On Thu, Oct 16, 2014 at 2:54 PM, Dave Walker <em...@daviey.com> wrote:

> Hi Steve,
> Thanks for your response.  I am talking generally about the external
> auth support.  One use case is Kerberos, but for the sake of argument
> this could quite easily be Apache Basic auth.  The point is, we have
> current support for entrusting AuthN outside of Keystone.
> What I was trying to outline is that it seems that the current design
> of external auth is that keystone is not in the auth pipeline as we
> trust auth at the edge.  However, we then do additional auth within
> keystone.
> With external auth and SQL, we drop the user provided username and
> password on the floor and use what was provided in REMOTE_USER (set by
> the webserver).
> Therefore the check as it currently stands in SQL is basically 'is
> this username in the database'.  The LDAP plugin does Authentication
> via username and password, which is clearly not sufficient for
> external auth.  The LDAP plugin could be made to check in a similar
> manner to SQL 'is this a valid user' - but this would seem to be a
> duplicate check, as we already did this at the edge.
> If the webserver granted access to keystone, the user has already been
> checked to see if they are a valid user.  However, your response seems
> to suggest that current external auth should be formally deprecated?

I may be missing something, but can you use the external auth method with
the LDAP backend?

blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com
OpenStack-dev mailing list

Reply via email to