I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy.
Continue reading
S4U2Proxy for Horizon
Reply
Category Archives: Software
running the freeipa CLI from a non-client machine
A developer does things that are at odds with a production deployment. Case in point: the FreeIPA assumes that it should be run on an ipa-client machine. But as a developer, I need to talk to remote FreeIPA servers. Here’s how to make the CLI work without performing a client install.
Continue reading
Keeping DHCP from changing the Nameserver
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf
interface "eth0" {
prepend domain-name-servers 192.168.187.12;
}
This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.
TGT Forwarding and cleanup
Kerberos provides single sign-on. However, if you don’t take care, you will end up having to do a kinit on a remote machine. Not a big deal, but the TGT on the remote machine will not necessarily be cleaned up when you log out.
Kerberizing Keystone in HTTPD
Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:
- Configure Keystone to Run with an LDAP backend
- Configure Keystone to Run in Apache HTTPD
- Register the Keystone server as an Kerberos Client (I use FreeIPA)
- Establish a Kerberized URL for $OS_AUTH_URL
Parameter Names in Java 8
There is a killer feature in Java 8, and it is not Lambdas.
Keystone Federation via mod_lookup_identity
In a recent post, I described how I configured a web server to user mod_lookup_identity. Now, I use that configuration to provide a test for the recent Federation work in Keystone. This is a really rough proof of concept; do not expect to be able to use this in your production environments yet.
Continue reading
Mapping X509 to Endpoints in OpenStack
Keystone token signing suffers from Highlander Syndrome. When it comes to Token Signers:
Keystone and Kerberos
“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”
This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.
mod_lookup_identity
“Don’t repeat yourself.” This rule is such a core principal in programming it has been reduced to the acronym DRY. Yet, somehow, every web application framework out there ends up with a custom authorization framework; LDAP, SQL, and usually a Flat File authorization list.
Apache HTTPD can and should perform a cryptographic based authentication for your users. Even better, it should be able to return to you the user attributes necessary to perform accurate authorization. REMOTE_USER has been the standard ever since CGI first appeared for the web. Now we can extend that approach to a generic set of user attributes for authorization. mod_lookup_identity.
I’m starting on a proof-of-concept setup where, instead of using the LDAP backend for Keystone, I use mod_identity_lookup to fetch the data at the HTTPD layer. Here are the steps I went to configure the system.