On 07/04/2016 11:14 AM, schmitt wrote:
Hi,
I am learning to configure keystone for tokenless ssl x509
authorization, according to the document:
http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html.
when making self-signed certificate with command openssl,
I don't know how to define issuer DN and subject DN for ssl x509.
Is it right as the following?
For example ,
If using tokenless authorization between nova service and keystone,
i define issuer DN like the following:
It is just a mapping: whatever you chose for the DN needs to be
mappable to the username in Keystone.
The example has "type": "SSL_CLIENT_S_DN_CN" So if the
SSL_CLIENT_S_DN_CN is schm...@openstack.com then the username needs to
be schm...@openstack.com.
There are many attributes you can use for mapping. Here is a decent
summary:
http://www.freeipa.org/page/Environment_Variables
E=schm...@openstack.com
CN=schmitt
OU=keystone
O=openstack
L=Sunnyvale
S=California
C=US
and define subject DN like the following:
E=n...@openstack.com
CN=nova #nova user defined in the configuration item
[keystone_authtoken]file“/etc/nova/nova.conf”
OU=default
O=defalult
L=Sunnyvale
S=California
C=US
Also,is there something special between subject DN and openstack service?
Thanks & Regards,
schmitt
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
