Kerberizing Keystone in HTTPD

Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:

  1. Configure Keystone to Run with an LDAP backend
  2. Configure Keystone to Run in Apache HTTPD
  3. Register the Keystone server as an Kerberos Client (I use FreeIPA)
  4. Establish a Kerberized URL for $OS_AUTH_URL

CLARIFICATION: In this configuration, Keystone is using Kerberos to authenticate, and then Keystone uses the LDAP identity backend, mapping REMOTE_USER to a user_id the external auth plugin.

Instructions for much of this have been written on the RDO site:

Note that I use a fairly minimal LDAP configuration. I use the same attribute for user id and user name. The IPA server allows anonymous browsing, which is read only. For the rest, I take the defaults.
I do not recommend putting Assignment data in the LDAP backend. For my setup, I put assignments in SQL.

I only set the following values in the LDAP section of my keystone.conf

driver = keystone.identity.backends.ldap.Identity
#many lines removed


driver = keystone.assignment.backends.sql.Assignment

Note that Kerberos without SSL is subject to replay attacks. You should configure the HTTPD server to run in NSS. I’ve laid out the steps to do that. In addition, you should use a real CA for managing the certificates, but you get that if you use FreeIPA.

sudo yum install mod_auth_kerb mod_nss

edit /etc/httpd/conf.d/nss.conf as I wrote about before:

Change Listen 8443 to
Listen 443

And <VirtualHost _default_:8443>
<VirtualHost _default_:443>

When you install mod_nss, it puts a selfsigned certificate into the nss database used for the HTTPD server. Get rid of old cert before requesting a new one.

certutil -d /etc/httpd/alias/ -L -n Server-Cert

How to get a certificate with Certmonger and FreeIPA

sudo ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ -N ','

Make sure Apache can read the Keystone conf file. Since this contains a passwords (MySQL) it should not be world readable.

sudo chgrp -R apache /etc/keystone/
sudo chmod g+rx /etc/keystone/keystone.conf

edit wsgi-keystone.conf and add:

WSGIScriptAlias /keystone/krb  /var/www/cgi-bin/keystone/main

  WSGIProcessGroup keystone_wsgi
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd/conf/openstack.keytab
  KrbSaveCredentials on
  KrbLocalUserMapping on
  Require valid-user

Request a Keytab

[fedora@ayoungdevstack20 conf.d]$ ipa-getkeytab -s -p HTTP/ -k ~/openstack.keytab
Keytab successfully retrieved and stored in: /home/fedora/openstack.keytab
[fedora@ayoungdevstack20 conf.d]$ sudo mv /home/fedora/openstack.keytab /etc/httpd/conf

Apache Needs to be able to read the keytab, but no one else should.

[fedora@ayoungdevstack20 conf.d]$ sudo chown apache /etc/httpd/conf/openstack.keytab
[fedora@ayoungdevstack20 conf.d]$ sudo chmod a+r  /etc/httpd/conf/openstack.keytab

Restart HTTPD before testing.

Hit from a browser:

On the client. Fetch the CA cert for NSS.


Test with curl:

curl --cacert ca.crt   --negotiate -u :

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.