← Back to team overview

openstack team mailing list archive

  1. openstack team
  2. Mailing list archive
  3. Message #21430

Re: PAM authentication for Folsom Keystone

  Thread PreviousDate PreviousThread Next 
I tried setting up httpd fronting keystone but wasn't able to figure out
how to get it to work. I configured Apache to require LDAP authentication
for keystone tokens. One problem is that keystone clients today aren't
doing http basic authentication. e.g., if you run "nova --os-username=admin
--os-password=whatever list" it doesn't do http basic auth, it does
keystone auth where it sends the username/password in the post data.

Here's the apache config file that I tried to use for keystone token auth,
in case anyone finds it interesting (note that it "worked" as far as you
can get a token using curl):

-------------------

Listen 35357

<VirtualHost *:35357>
  WSGIScriptAlias /  /opt/stack/keystone/httpd/admin
  <Location /v2.0/tokens>
    AuthType Basic
    AuthName OpenStack
    AuthBasicProvider ldap
    AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
    Require valid-user
  </Location>
</VirtualHost>

Listen 5000

<VirtualHost *:5000>
  WSGIScriptAlias /  /opt/stack/keystone/httpd/main
  <Location /v2.0/tokens>
    AuthType Basic
    AuthName OpenStack
    AuthBasicProvider ldap
    AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
    Require valid-user
  </Location>
</VirtualHost>

-------------------

I think a problem with this config is that it should require basic auth
only when doing a POST /v2.0/tokens request, and not require auth for GET.

Here's the curl command to get a token, which worked with this config:

$ curl --user admin:adminpwd \
 -H "Content-Type: application/json" \
 -d '{"auth": {}}' \
 http://localhost:35357/v2.0/tokens


On Thu, Feb 28, 2013 at 2:25 AM, Alvaro Lopez <aloga@xxxxxxxxxxxxxx> wrote:

> On Tue 26 Feb 2013 (13:41), Joshua wrote:
> > Matt at this point I am just trying to log into keystone using users I
> > created on the Unix system.
>
> You mean authenticate against keystone using your system users?
>
> You should be able to do so by running keystone as a WSGI behind an
> Apache http server that will make the authentication (PAM in this case,
> but can be any auth method supported by apache) and then using the
> external authentication method [1].
>
> [1]
> http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication
>
> Regards,
> --
> Álvaro López García                              aloga@xxxxxxxxxxxxxx
> Instituto de Física de Cantabria         http://devel.ifca.es/~aloga/
> Ed. Juan Jordá, Campus UC                      tel: (+34) 942 200 969
> Avda. de los Castros s/n
> 39005 Santander (SPAIN)
> _____________________________________________________________________
> "Premature optimization is the root of all evil (or at least most of it)
>  in programming." -- Donald Knuth
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

References

  Thread PreviousDate PreviousThread Next