Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:
- Configure Keystone to Run with an LDAP backend
- Configure Keystone to Run in Apache HTTPD
- Register the Keystone server as an Kerberos Client (I use FreeIPA)
- Establish a Kerberized URL for $OS_AUTH_URL
CLARIFICATION: In this configuration, Keystone is using Kerberos to authenticate, and then Keystone uses the LDAP identity backend, mapping REMOTE_USER to a user_id the external auth plugin.
Instructions for much of this have been written on the RDO site:
Note that I use a fairly minimal LDAP configuration. I use the same attribute for user id and user name. The IPA server allows anonymous browsing, which is read only. For the rest, I take the defaults.
I do not recommend putting Assignment data in the LDAP backend. For my setup, I put assignments in SQL.
I only set the following values in the LDAP section of my keystone.conf
[identity] driver = keystone.identity.backends.ldap.Identity #many lines removed [LDAP] url=ldap://ipa.cloudlab.freeipa.org user_tree_dn=cn=users,cn=accounts,dc=ipa,dc=cloudlab,dc=freeipa,dc=org user_id_attribute=uid user_name_attribute=uid group_tree_dn=cn=groups,cn=accounts,dc=ipa,dc=cloudlab,dc=freeipa,dc=org [assignment] driver = keystone.assignment.backends.sql.Assignment
Note that Kerberos without SSL is subject to replay attacks. You should configure the HTTPD server to run in NSS. I’ve laid out the steps to do that. In addition, you should use a real CA for managing the certificates, but you get that if you use FreeIPA.
sudo yum install mod_auth_kerb mod_nss
edit /etc/httpd/conf.d/nss.conf as I wrote about before:
Change Listen 8443 to
Listen 443
And <VirtualHost _default_:8443>
to
<VirtualHost _default_:443>
When you install mod_nss, it puts a selfsigned certificate into the nss database used for the HTTPD server. Get rid of old cert before requesting a new one.
certutil -d /etc/httpd/alias/ -L -n Server-Cert
How to get a certificate with Certmonger and FreeIPA
sudo ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ayoungdevstack20.cloudlab.freeipa.org -N 'CN=ayoungdevstack20.cloudlab.freeipa.org,O=cloudlab.freeipa.org'
Make sure Apache can read the Keystone conf file. Since this contains a passwords (MySQL) it should not be world readable.
sudo chgrp -R apache /etc/keystone/ sudo chmod g+rx /etc/keystone/keystone.conf
edit wsgi-keystone.conf and add:
WSGIScriptAlias /keystone/krb /var/www/cgi-bin/keystone/mainWSGIProcessGroup keystone_wsgi AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms IPA.CLOUDLAB.FREEIPA.ORG Krb5KeyTab /etc/httpd/conf/openstack.keytab KrbSaveCredentials on KrbLocalUserMapping on Require valid-user NSSRequireSSL
Request a Keytab
[fedora@ayoungdevstack20 conf.d]$ ipa-getkeytab -s ipa.cloudlab.freeipa.org -p HTTP/ayoungdevstack20.cloudlab.freeipa.org -k ~/openstack.keytab Keytab successfully retrieved and stored in: /home/fedora/openstack.keytab [fedora@ayoungdevstack20 conf.d]$ sudo mv /home/fedora/openstack.keytab /etc/httpd/conf
Apache Needs to be able to read the keytab, but no one else should.
[fedora@ayoungdevstack20 conf.d]$ sudo chown apache /etc/httpd/conf/openstack.keytab [fedora@ayoungdevstack20 conf.d]$ sudo chmod a+r /etc/httpd/conf/openstack.keytab
Restart HTTPD before testing.
Hit from a browser:
https://ayoungdevstack20.cloudlab.freeipa.org/keystone/krb
On the client. Fetch the CA cert for NSS.
wget http://ipa.cloudlab.freeipa.org/ipa/config/ca.crt
Test with curl:
curl --cacert ca.crt --negotiate -u : https://ayoungdevstack20.cloudlab.freeipa.org/keystone/krb