On 04/19/2015 06:05 PM, Diogenes S. Jesus wrote:
Hi man.
I've seen your thread
<http://lists.openstack.org/pipermail/openstack-dev/2014-June/036733.html>
on OpenStack mailing list regarding using Kerberos on Horizon.
I've been pulling my hair around this topic, however I'm trying to
authenticate using X.509.
I've googled around and found only topics related to keystone external
auth - but that doesn't really solve the problem, because horizon is
the one handling the request.
If you've reached good level on this topic or can point out to some
third-party solution I would be glad.
Diogenes,
Thanks for asking this. It is a question that has come up a few times,
and should be addressed.
I think the right approach is to use Federation, in the same way that I
protoyped here:
http://adam.younglogic.com/2015/04/horizon-websso-sssd/
The short of it is that you would use the Mapped plugin for the 'X509'
protocol instead of Kerberos (maybe `clientcert` is a better name?) and
Have a section in your httpd section for Keystone that has (among other
settings)
|||<location ~ ||"x509"| |>|
Require valid-user
SSLRequireSSL
|SSLVerifyClient require
|</location>
You would then provide values in the mapping that use the SSL Variables,
such as SSL_CLIENT_S_DN instead of REMOTE_USER
For the user database, we have support coming in Kilo for mapping to an
existing user, so you should be able to work with some version of the
LDAP backend for that, but I would suggest you look at the SSSD approach
for LDAP integration instead, as it will be usable both for Keystone and
for the VMs running managed by Nova (both Undercloud AND cloud
Authentication)
I haven't prototyped Client Cert authentication yet, unfortunately. I
would love to know if it does work, and would be willing to help work
through the gotcha's.
Thanks!
--
--------
Diogenes S. de Jesus
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
