The next interim release of Openstack Keystone will once again have LDAP support. I am developing against OpenLDAP to start, as that is what the LDAP support has been based on in the past. However, the directory server that backs FreeIPA works perfectly well, and provides a backend that allows for Keystone support.
Here is a little utility I’ve worked up while working with the Openstack Keystone code.
A recent change in the structure of the Openstack Keystone architecture resulted in the loss of support for an LDAP Backend. I’ve been working to rectify that. Here’s my set up and the design decisions I’ve made so far. Since this code is not yet submitted for code review, there is a good chance that it will change prior to deployment.
The documentation on the OpenLDAP site discusses modifying the ldif files used to start up the server. If you try to do this on a Fedora or Debian based install, you will find that the server does not start up. The HASH of the files is stored and compared with the contents at start up time. There is a better way.
The Domain Name System (DNS) is an essential part of systems management. If you need to manage multiple physical hosts you’d really benefit by a degree of control of some subset of DNS. With Virtual machines, the sheer number of hosts created demand a responsive DNS. Kerberos, X509 and other security mechanisms require a proper DNS configuration. Yet, for many organizations, DNS is locked down by IT to a very static set of records. Earlier articles discussed User Groups, Host Groups, and Netgroups. The final installment in this series discsusses how to delegate DNS Zone management in FreeIPA.
The last two articles described how to delegate management of user groups and host groups. The other way to manage both hosts and users in FreeIPA is with Netgroups. Although Netgroups are a concept from NIS, FreeIPA takes them to the next level, and makes them into containers capable of managing both users and groups. This article shows how to delegate the control of a netgroup to a specified user.
Last article I discussed delegating the authority to manage group membership using FreeIPA. A related topic delegating the ability to manage groups of hosts. There are two different collections for managing hosts: host groups, and netgroups. The approach to delegating authority for managing each of these is similar, but with important differences. First up: hostgroups.
To create a hostgroup for Beowulf hosts:
The power of a hierarchical database lies in its access controls. FreeIPA gives you a set of tools that you can use in order to delegate authority using those access controls.
Continue readingWith the release of KRB5 1.10 A Kerberos workstation can finally have two different TGTs from two different KDCs active at the same time. Until this technology makes it into the major distributions, we are stuck with the limitation of the browser only knowing about one TGT/KDC/Realm at a time. If you find yourself needing to talk to a second KDC without disrupting your primary, here are the steps you can take.