Re: [Openstack] PAM authentication for Folsom Keystone
I tried setting up httpd fronting keystone but wasn't able to figure out how to get it to work. I configured Apache to require LDAP authentication for keystone tokens. One problem is that keystone clients today aren't doing http basic authentication. e.g., if you run nova --os-username=admin --os-password=whatever list it doesn't do http basic auth, it does keystone auth where it sends the username/password in the post data. Here's the apache config file that I tried to use for keystone token auth, in case anyone finds it interesting (note that it worked as far as you can get a token using curl): --- Listen 35357 VirtualHost *:35357 WSGIScriptAlias / /opt/stack/keystone/httpd/admin Location /v2.0/tokens AuthType Basic AuthName OpenStack AuthBasicProvider ldap AuthLDAPURL ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one Require valid-user /Location /VirtualHost Listen 5000 VirtualHost *:5000 WSGIScriptAlias / /opt/stack/keystone/httpd/main Location /v2.0/tokens AuthType Basic AuthName OpenStack AuthBasicProvider ldap AuthLDAPURL ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one Require valid-user /Location /VirtualHost --- I think a problem with this config is that it should require basic auth only when doing a POST /v2.0/tokens request, and not require auth for GET. Here's the curl command to get a token, which worked with this config: $ curl --user admin:adminpwd \ -H Content-Type: application/json \ -d '{auth: {}}' \ http://localhost:35357/v2.0/tokens On Thu, Feb 28, 2013 at 2:25 AM, Alvaro Lopez al...@ifca.unican.es wrote: On Tue 26 Feb 2013 (13:41), Joshua wrote: Matt at this point I am just trying to log into keystone using users I created on the Unix system. You mean authenticate against keystone using your system users? You should be able to do so by running keystone as a WSGI behind an Apache http server that will make the authentication (PAM in this case, but can be any auth method supported by apache) and then using the external authentication method [1]. [1] http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication Regards, -- Álvaro López García al...@ifca.unican.es Instituto de Física de Cantabria http://devel.ifca.es/~aloga/ Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander (SPAIN) _ Premature optimization is the root of all evil (or at least most of it) in programming. -- Donald Knuth ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
On Tue 26 Feb 2013 (13:41), Joshua wrote: Matt at this point I am just trying to log into keystone using users I created on the Unix system. You mean authenticate against keystone using your system users? You should be able to do so by running keystone as a WSGI behind an Apache http server that will make the authentication (PAM in this case, but can be any auth method supported by apache) and then using the external authentication method [1]. [1] http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication Regards, -- Álvaro López García al...@ifca.unican.es Instituto de Física de Cantabria http://devel.ifca.es/~aloga/ Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander (SPAIN) _ Premature optimization is the root of all evil (or at least most of it) in programming. -- Donald Knuth ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
Oops misunderstood. Was thinking PAM - Keystone. Sorry On Tue, Feb 26, 2013 at 12:25 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] PAM authentication for Folsom Keystone
Matt at this point I am just trying to log into keystone using users I created on the Unix system. On Tue, Feb 26, 2013 at 1:27 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Oops misunderstood. Was thinking PAM - Keystone. Sorry On Tue, Feb 26, 2013 at 12:25 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: I did it. Works fine. But SSH won't work without an NSS service. SSH clients perform a getpwnam() before passing auth creds to PAM. I'll ask if I can publish my code. On Tue, Feb 26, 2013 at 12:15 PM, Joshua j...@root.bz wrote: I am trying to integrate Folsom Keystone PAM authentication. I was wondering if anyone has been successfully in getting basic PAM auth working? I am trying to do KEYSTONE - PAM - LDAP eventually. Any help with the PAM Auth would be greatly appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp