On 10/16/2014 03:18 PM, Dave Walker wrote:
On 16 October 2014 20:07, David Stanek <dsta...@dstanek.com> wrote:
<SNIP>
I may be missing something, but can you use the external auth method with
the LDAP backend?
No, as the purpose of the LDAP backend is to validate user/pass
combination are valid. With the external auth plugin, these are not
provided to keystone (and may not even exist). If they did exist, we
would be doing auth at the edge and at the backend - which seems
needlessly expensive.
--
Kind Regards,
Daviey Walker
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
The short of it is that what you are describing is handled by Federation.
I think that there is some confusing in the processing of an authN/authZ
request which we call "create a token"
Here's how I would expect it to work in a Kerberos case (the archetype
for external) before the use of Federation
1. mod_auth_kerb authenticates the user and sets REMOTE_USER before
calling the Keystone WSGI app
2. Keystone accepts REMOTE_USER and looks up the user in LDAP to get groups
3. Userid and Groups are used to fetch roles to populate the token
We can also use the OSand mod_lookup_identity to get us Groups: see
this write up for how to use Federation with SSSD
http://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/
That is old and needs to be updated, but the concepts are the same.
With Federation, you provide a mapping and a bunch of env vars to the
Keystone server, and there is no need to persist the user in the user table.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
