Thanks Adam. I don't think I asked the right question. I'm wondering how I get horizon to use the external auth when keystone is running behind apache.
On Mon, May 20, 2013 at 10:22 AM, Adam Young <ayo...@redhat.com> wrote: > On 05/16/2013 11:29 AM, Aaron Knister wrote: > > Thanks Adam. I was able to get that far after a *lot* of headache. AD's > typical schema doesn't map to what OpenStack is expecting, particularly as > far as the domain_id attribute is concerned. > > > Sorry about that. I am not too fond of our Domain_id thing either, and > working to rectify: > > > > > When running Keystone under Apache HTTPD how does one use horizon? > > > No change. You can report ports other that 5000/35357 for Keystone's > service catalog if you want to have Keystone serve on 443. Or, you can > have apache listen on the usual keystone ports. You will want Keystone on > a separate machine from Horizon. > > > > > On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayo...@redhat.com> wrote: > >> Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk >> to AD. >> >> >> >> On 05/14/2013 06:11 PM, Aaron Knister wrote: >> >> *bump* >> >> Here's the tl;dr version: >> >> - How have other folks handled integration of OpenStack with existing >> authN/authZ infrastructures? I'm particularly interested in the automatic >> mapping of existing LDAP groups to roles/tenants within openstack. >> - Are there plans to add support for the auth plugins to the *client >> modules and CLI tools going forward? I'd be interested in contributing this >> if it's on the roadmap and hasn't been done yet. >> - Are there plans to add support for auth plugins/external au th to >> Horizon? As above, I'm interested in implementing this if there's interest. >> - I see vague references in the documentation/*client code to using >> certificates for authentication (without the need for httpd external >> authentication) which would also eliminate the credentials-in-environment- >> variables issue. Is using PKI for authentication going to be supported? >> If so what's the status? >> >> Am I perhaps posting this to the wrong list? I didn't get any replies >> from my original post. >> >> Thanks! >> >> -Aaron >> >> >> >> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knis...@gmail.com>wrote: >> >>> Hi Everyone, >>> >>> I'm looking for feedback and input about what other sites are doing for >>> authentication and authorization with OpenStack. >>> >>> First, some background: >>> >>> I'm currently evaluating OpenStack (Grizzly), specifically working on >>> integration with Active Directory. I'm unable to modify the schema to allow >>> groupOfNames as a SUP of organizationalRole so I've implemented a >>> workaround using openldap and several of its overlays backends to sit in >>> front of AD. That all works just fine, however I really would like to be >>> able to map AD groups to roles/tenants. I suspect I'll end up writing some >>> code to do this-- shouldn't be too hard. >>> >>> Also on the subject of Active Directory, it's a show stopper for me to >>> put un-encrypted AD credentials in environment variables to then pass to >>> the various openstack CLI progs. My ideal workaround would be to use >>> Kerberos authentication which I actually have working. I setup keystone to >>> run under apache based on this documentation with some tweaks here and >>> there: >>> >>> http://docs.openstack.org/developer/keystone/external-auth.html >>> >>> I created an openstack client auth plugin (based on the VOMS auth >>> plugin) using requests_kerberos and this works well with the nova client, >>> however none of the other client tools, including horizon, seem to support >>> authentication plugins or the external authentication concept in general. >>> >>> So, here are my questions: >>> >>> - How have other folks handled integration of OpenStack with existing >>> authN/authZ infrastructures? I'm particularly interested in the automatic >>> mapping of existing LDAP groups to roles/tenants within openstack. >>> - Are there plans to add support for the auth plugins to the *client >>> modules and CLI tools going forward? I'd be interested in contributing this >>> if it's on the roadmap and hasn't been done yet. >>> - Are there plans to add support for auth plugins/external au th to >>> Horizon? As above, I'm interested in implementing this if there's interest. >>> - I see vague references in the documentation/*client code to using >>> certificates for authentication (without the need for httpd external >>> authentication) which would also eliminate the >>> credentials-in-environment-variables issue. Is using PKI for authentication >>> going to be supported? If so what's the status? >>> >>> Thanks in advance! >>> >>> -Aaron >>> >> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
