Thank you for posting this issue to openstack-dev. I had posted this on the
openstack general user list and was waiting for response.

May i know, if we have any progress regarding this issue.

I am trying to use external HTTPD authentication with kerberos and LDAP
identity backend, in Havana.

I think, few things have changed with Openstack Icehouse release and
Keystone 0.9.0 on CentOS 6.5.

Currently I face a similar issue to yours : I get a full username with
domain as REMOTE_USER from apache, and keystone tries to search LDAP  along
with my domain name. ( i have not mentioned any domain information to
keystone. i assume it is called 'default', while my domain is: example.com )

I see that - External Default and External Domain are no longer supported by
keystone but intstead - 

keystone.auth.plugins.external.DefaultDomain or
external=keystone.auth.plugins.external.Domain are valid as of now.

I also tried using keystone.auth.plugins.external.kerberos after checking
the code, but it does not make any difference.

For example:

If i authenticate using kerberos with : lohit.vall...@example.com. I see the
following in the logs.

DEBUG keystone.common.ldap.core [-] LDAP search:
dn=ou=People,dc=example,dc=come, scope=1,
attrs=['mail', 'userPassword', 'enabled', 'uid'] search_s
2014-10-18 02:34:36.459 5592 DEBUG keystone.common.ldap.core [-] LDAP unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:777
2014-10-18 02:34:36.460 5592 WARNING keystone.common.wsgi [-] Authorization
failed. Unable to lookup user lohit.vall...@example.com from

Also, i see that keystone always searches with "uid", no matter what i enter
as a mapping value for userid/username in keystone.conf . I do not
understand if this is a bug or limitation. ( The above logs show that they
are not able to find uid with lohit.vall...@example.com since LDAP contains
uid without domain name)

May i know, how do i request keystone to split REMOTE_USER? Do i need to
mention default domain and sync with database in order for this to work?

Also, May i know - what modifications do i need to do to Havana to disable
username and password authentication, but instead use external
authentication such as Kerberos/REMOTE_USER.

Is anyone working on these scenarios? or do we have any better solutions?

I have read about Federation and Shibboleth authentication, but i believe
that is not the same as REMOTE_USER/Kerberos authentication.

Thank you,


Thank you,


View this message in context: 
Sent from the Developer mailing list archive at Nabble.com.

OpenStack-dev mailing list

Reply via email to