I got keystone in my Bifrost install to talk via LDAP to our Freeipa server. Here’s what I had to do.
Continue readingKeystone LDAP with Bifrost
Reply
Category Archives: LDAP
Building an OpenShift LDAP URL from FreeIPA
If you want to use LDAP authentication with OpenShift, you need to build an LDAP URL from the information you do have. Here are the steps.
Continue readingRed Hat IdM as an LDAP Identity Provider in OpenShift Container Platform 4
For my OpenShift Demo, I want to use a Red Hat IdM server as the identity provider. It took a little trial and error to get the mechanism to work right.
Continue readingRippowam
Ossipee started off as OS-IPA. As it morphed into a tool for building development clusters,I realized it was more useful to split the building of the cluster from the Install and configuration of the application on that cluster. To install IPA and OpenStack, and integrate them together, we now use an ansible-playbook called Rippowam.
S4U2Proxy for Horizon
I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy.
Continue reading
Keystone Federation via mod_lookup_identity
In a recent post, I described how I configured a web server to user mod_lookup_identity. Now, I use that configuration to provide a test for the recent Federation work in Keystone. This is a really rough proof of concept; do not expect to be able to use this in your production environments yet.
Continue reading
mod_lookup_identity
“Don’t repeat yourself.” This rule is such a core principal in programming it has been reduced to the acronym DRY. Yet, somehow, every web application framework out there ends up with a custom authorization framework; LDAP, SQL, and usually a Flat File authorization list.
Apache HTTPD can and should perform a cryptographic based authentication for your users. Even better, it should be able to return to you the user attributes necessary to perform accurate authorization. REMOTE_USER has been the standard ever since CGI first appeared for the web. Now we can extend that approach to a generic set of user attributes for authorization. mod_lookup_identity.
I’m starting on a proof-of-concept setup where, instead of using the LDAP backend for Keystone, I use mod_identity_lookup to fetch the data at the HTTPD layer. Here are the steps I went to configure the system.
Packstack to LDAP
While Packstack makes it easy to get OpenStack up and running, it does not (yet) support joining to an existing Directory (LDAP) server. I went through this recently and here are the steps I followed.
Continue reading
LDAPS against a FreeIPA server
Once you have a Directory server installed, you are going to want to query against it from throughout the Network. For many reasons, you will want traffic to the server encrypted. Here are the steps to quest against a server using LDAPS from a remote machine.
FreeIPA Keystone LDAP Store
The next interim release of Openstack Keystone will once again have LDAP support. I am developing against OpenLDAP to start, as that is what the LDAP support has been based on in the past. However, the directory server that backs FreeIPA works perfectly well, and provides a backend that allows for Keystone support.