Re: [Openstack] PAM authentication for Folsom Keystone
I tried setting up httpd fronting keystone but wasn't able to figure out
how to get it to work. I configured Apache to require LDAP authentication
for keystone tokens. One problem is that keystone clients today aren't
doing http basic authentication. e.g., if you run nova --os-username=admin
--os-password=whatever list it doesn't do http basic auth, it does
keystone auth where it sends the username/password in the post data.
Here's the apache config file that I tried to use for keystone token auth,
in case anyone finds it interesting (note that it worked as far as you
can get a token using curl):
---
Listen 35357
VirtualHost *:35357
WSGIScriptAlias / /opt/stack/keystone/httpd/admin
Location /v2.0/tokens
AuthType Basic
AuthName OpenStack
AuthBasicProvider ldap
AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
Require valid-user
/Location
/VirtualHost
Listen 5000
VirtualHost *:5000
WSGIScriptAlias / /opt/stack/keystone/httpd/main
Location /v2.0/tokens
AuthType Basic
AuthName OpenStack
AuthBasicProvider ldap
AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
Require valid-user
/Location
/VirtualHost
---
I think a problem with this config is that it should require basic auth
only when doing a POST /v2.0/tokens request, and not require auth for GET.
Here's the curl command to get a token, which worked with this config:
$ curl --user admin:adminpwd \
-H Content-Type: application/json \
-d '{auth: {}}' \
http://localhost:35357/v2.0/tokens
On Thu, Feb 28, 2013 at 2:25 AM, Alvaro Lopez al...@ifca.unican.es wrote:
On Tue 26 Feb 2013 (13:41), Joshua wrote:
Matt at this point I am just trying to log into keystone using users I
created on the Unix system.
You mean authenticate against keystone using your system users?
You should be able to do so by running keystone as a WSGI behind an
Apache http server that will make the authentication (PAM in this case,
but can be any auth method supported by apache) and then using the
external authentication method [1].
[1]
http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication
Regards,
--
Álvaro López García al...@ifca.unican.es
Instituto de Física de Cantabria http://devel.ifca.es/~aloga/
Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969
Avda. de los Castros s/n
39005 Santander (SPAIN)
_
Premature optimization is the root of all evil (or at least most of it)
in programming. -- Donald Knuth
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
On Tue 26 Feb 2013 (13:41), Joshua wrote: Matt at this point I am just trying to log into keystone using users I created on the Unix system. You mean authenticate against keystone using your system users? You should be able to do so by running keystone as a WSGI behind an Apache http server that will make the authentication (PAM in this case, but can be any auth method supported by apache) and then using the external authentication method [1]. [1] http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication Regards, -- Álvaro López García al...@ifca.unican.es Instituto de Física de Cantabria http://devel.ifca.es/~aloga/ Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander (SPAIN) _ Premature optimization is the root of all evil (or at least most of it) in programming. -- Donald Knuth ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
Oops misunderstood. Was thinking PAM - Keystone. Sorry On Tue, Feb 26, 2013 at 12:25 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
Matt at this point I am just trying to log into keystone using users I created on the Unix system. On Tue, Feb 26, 2013 at 1:27 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Oops misunderstood. Was thinking PAM - Keystone. Sorry On Tue, Feb 26, 2013 at 12:25 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
