Atom feed of this document
  
 

 External authentication with the Identity Service

When the Identity Service runs in apache-httpd, you can use external authentication methods that differ from the authentication provided by the identity store back-end. For example, you can use an SQL identity back-end together with X.509 authentication, Kerberos, and so on instead of using the user name and password combination.

 Use HTTPD authentication

Web servers, like Apache HTTP, support many methods of authentication. The Identity Service can allow the web server to perform the authentication. The web server then passes the authenticated user to the Identity Service by using the REMOTE_USER environment variable. This user must already exist in the Identity Service back-end so as to get a token from the controller. To use this method, the Identity Service should run on apache-httpd.

 Use X.509

The following Apache configuration snippet authenticates the user based on a valid X.509 certificate from a known CA:

    <VirtualHost _default_:5000>
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/ssl.cert
        SSLCertificateKeyFile /etc/ssl/private/ssl.key

        SSLCACertificatePath /etc/ssl/allowed_cas
        SSLCARevocationPath  /etc/ssl/allowed_cas
        SSLUserName          SSL_CLIENT_S_DN_CN
        SSLVerifyClient      require
        SSLVerifyDepth       10

        (...)
    </VirtualHost>
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...