I tried setting up httpd fronting keystone but wasn't able to figure out how to get it to work. I configured Apache to require LDAP authentication for keystone tokens. One problem is that keystone clients today aren't doing http basic authentication. e.g., if you run "nova --os-username=admin --os-password=whatever list" it doesn't do http basic auth, it does keystone auth where it sends the username/password in the post data.
Here's the apache config file that I tried to use for keystone token auth, in case anyone finds it interesting (note that it "worked" as far as you can get a token using curl): ------------------- Listen 35357 <VirtualHost *:35357> WSGIScriptAlias / /opt/stack/keystone/httpd/admin <Location /v2.0/tokens> AuthType Basic AuthName OpenStack AuthBasicProvider ldap AuthLDAPURL ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one Require valid-user </Location> </VirtualHost> Listen 5000 <VirtualHost *:5000> WSGIScriptAlias / /opt/stack/keystone/httpd/main <Location /v2.0/tokens> AuthType Basic AuthName OpenStack AuthBasicProvider ldap AuthLDAPURL ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one Require valid-user </Location> </VirtualHost> ------------------- I think a problem with this config is that it should require basic auth only when doing a POST /v2.0/tokens request, and not require auth for GET. Here's the curl command to get a token, which worked with this config: $ curl --user admin:adminpwd \ -H "Content-Type: application/json" \ -d '{"auth": {}}' \ http://localhost:35357/v2.0/tokens On Thu, Feb 28, 2013 at 2:25 AM, Alvaro Lopez <al...@ifca.unican.es> wrote: > On Tue 26 Feb 2013 (13:41), Joshua wrote: > > Matt at this point I am just trying to log into keystone using users I > > created on the Unix system. > > You mean authenticate against keystone using your system users? > > You should be able to do so by running keystone as a WSGI behind an > Apache http server that will make the authentication (PAM in this case, > but can be any auth method supported by apache) and then using the > external authentication method [1]. > > [1] > http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication > > Regards, > -- > Álvaro López García al...@ifca.unican.es > Instituto de Física de Cantabria http://devel.ifca.es/~aloga/ > Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 > Avda. de los Castros s/n > 39005 Santander (SPAIN) > _____________________________________________________________________ > "Premature optimization is the root of all evil (or at least most of it) > in programming." -- Donald Knuth > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp