Keystone and Kerberos

“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”

This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.

The Keystone server is a modified devstack deployment using the Keystone LDAP Identity Backend to talk to a FreeIPA server. I’ve made an additional WSGIScriptAlias specific to Kerberos authentication. In /etc/httpd/conf.d/wsgi-keystone.conf I have:

WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/krb   /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin

WSGIDaemonProcess keystone_admin user=fedora group=wheel maximum-requests=10000
WSGIDaemonProcess keystone_main user=fedora group=wheel maximum-requests=10000
WSGIDaemonProcess keystone_krb_wsgi user=fedora group=wheel maximum-requests=10000

 WSGIProcessGroup keystone_admin
 Authtype none

 WSGIProcessGroup keystone_main
 Authtype none

  WSGIProcessGroup keystone_krb_wsgi
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd/conf/openstack.keytab
  KrbSaveCredentials on
  KrbLocalUserMapping on
  Require valid-user

With this configuration I am able to fetch a token using a curl call. I need to have performed kinit as the Principal that maps the Keystone user.

curl   \
-H "Content-Type:application/json" \
--negotiate -u : \
--cacert ca.crt  \
-d  '{ "auth": { "identity": { "methods": []}, "scope": { "project": { "domain": { "name": "Default" }, "name": "demo" } } } }' \

#If you wish this script to return just the token, uncomment the next line and append it to the commmand above.
# | awk '/X-Subject-Token/ {print $2}'

Note that my service catalog returns URLS that point to the non-kerberized Locations in my HTTPD config. For example:

$ keystone endpoint-get --service=identity
|      Property      |                              Value                               |
| identity.publicURL | |

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.