[one-users] [Sunstone] Mixing password and X509 authentication

2015-02-10 Thread Daniel Dehennin
Hello,

I would like to mix the authentication methods on Sunstone.

I created an X509 user[1] and the one* CLI are working with it.

According to the documentation[2], I need to switch Sunstone to “x509”,
but I thought that using “:auth: opennebula” permit to use whatever is
configured for the user.

I first try as explained in the documentation:

- set “:auth: x509” in sunstone

- install user certificate authority to “/etc/one/auth/certificates/”

- configure my nginx as describe in attachement

- install the user x509 certificate on my iceweasel 35.0.1 browser

When I access Sunstone, my browser ask me to choose my certificate but I
finish on login page with only a “Login” button plus the “Keep me logged
in” checkbox.

I should have miss some headers to add to my Requests.

Any hints?

Regards.

Footnotes: 
[1]  
http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html

[2]  
http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html#enabling-x509-auth-in-sunstone

-- 
Daniel Dehennin
Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF
Fingerprint: 3E69 014E 5C23 50E8 9ED6  2AAD CC1E 9E5B 7A6F E2DF

# Opennebula Sunstone
upstream sunstone {
 server 127.0.0.1:9869;
}

upstream onerpc {
 server 127.0.0.1:2633;
}

# Port 80 redirected to SSL
server {
listen 80;
server_namenebula.example.net;

location / {
return 301 https://$host$request_uri?;
}
}


# SSL reverse-proxy
server {
listen 443 default_server;
listen [::]:443 default_server ipv6only=on;

ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client optional;

root /usr/share/nginx/html;
index index.html index.htm;

server_name nebula.example.net;

access_log  /var/log/nginx/opennebula-sunstone-access.log;
error_log  /var/log/nginx/opennebula-sunstone-error.log;

client_max_body_size 5G;

location / {
try_files $uri @sunstone;
}

location /RPC2 {
include proxy_params;
proxy_pass http://onerpc;
}

location @sunstone {
include proxy_params;
proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
proxy_set_header SSL_CLIENT_I_DN $ssl_client_i_dn;
proxy_set_header SSH_CLIENT_VERIFY $ssl_client_verify;
proxy_set_header SSH_CLIENT_CERT $ssl_client_cert;

include ssl_parms;
proxy_pass http://sunstone;
}
}


signature.asc
Description: PGP signature
___
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org


Re: [one-users] [Sunstone] Mixing password and X509 authentication

2015-02-13 Thread Daniel Molina
Hi,

In this file you can check the headers used by the x509 auth
https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/X509CloudAuth.rb

an this is an old guide on how to setup this configuration in Apache:
http://community.opennebula.org/sunstone_x509

Hope this helps

On 10 February 2015 at 17:16, Daniel Dehennin 
wrote:

> Hello,
>
> I would like to mix the authentication methods on Sunstone.
>
> I created an X509 user[1] and the one* CLI are working with it.
>
> According to the documentation[2], I need to switch Sunstone to “x509”,
> but I thought that using “:auth: opennebula” permit to use whatever is
> configured for the user.
>
> I first try as explained in the documentation:
>
> - set “:auth: x509” in sunstone
>
> - install user certificate authority to “/etc/one/auth/certificates/”
>
> - configure my nginx as describe in attachement
>
> - install the user x509 certificate on my iceweasel 35.0.1 browser
>
> When I access Sunstone, my browser ask me to choose my certificate but I
> finish on login page with only a “Login” button plus the “Keep me logged
> in” checkbox.
>
> I should have miss some headers to add to my Requests.
>
> Any hints?
>
> Regards.
>
> Footnotes:
> [1]
> http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html
>
> [2]
> http://docs.opennebula.org/4.10/administration/authentication/x509_auth.html#enabling-x509-auth-in-sunstone
>
> --
> Daniel Dehennin
> Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF
> Fingerprint: 3E69 014E 5C23 50E8 9ED6  2AAD CC1E 9E5B 7A6F E2DF
>
>
> # Opennebula Sunstone
> upstream sunstone {
>  server 127.0.0.1:9869;
> }
>
> upstream onerpc {
>  server 127.0.0.1:2633;
> }
>
> # Port 80 redirected to SSL
> server {
> listen 80;
> server_namenebula.example.net;
>
> location / {
> return 301 https://$host$request_uri?;
> }
> }
>
>
> # SSL reverse-proxy
> server {
> listen 443 default_server;
> listen [::]:443 default_server ipv6only=on;
>
> ssl on;
> ssl_certificate /etc/nginx/ssl/server.crt;
> ssl_certificate_key /etc/nginx/ssl/server.key;
> ssl_client_certificate /etc/nginx/ssl/ca.crt;
> ssl_verify_client optional;
>
> root /usr/share/nginx/html;
> index index.html index.htm;
>
> server_name nebula.example.net;
>
> access_log  /var/log/nginx/opennebula-sunstone-access.log;
> error_log  /var/log/nginx/opennebula-sunstone-error.log;
>
> client_max_body_size 5G;
>
> location / {
> try_files $uri @sunstone;
> }
>
> location /RPC2 {
> include proxy_params;
> proxy_pass http://onerpc;
> }
>
> location @sunstone {
> include proxy_params;
> proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
> proxy_set_header SSL_CLIENT_I_DN $ssl_client_i_dn;
> proxy_set_header SSH_CLIENT_VERIFY $ssl_client_verify;
> proxy_set_header SSH_CLIENT_CERT $ssl_client_cert;
>
> include ssl_parms;
> proxy_pass http://sunstone;
> }
> }
>
> ___
> Users mailing list
> Users@lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
--
Daniel Molina
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula
___
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org