While I grumbled when run_tests.sh was deprecated with just a terse message to go read the docs about tox, I have since switched over. Here is my quick tox transition tutorial.
Keystone tox cheat sheet
1
Kerberos, Federation, and Horizon
I’ve been looking in to enabling Kerberos for Horizon. Since Horizon passes the Users credentials on to Keystone to get a token, Kerberos requires an additional delegation mechanism. This leads to some questions about how to handle delegation in the case of Federated Identity.
Kerberos, Keystone Client, and S4U2Proxy
Since my eventual goal is to Kerberize Horizon, my next step after getting a CGI solution working was to make use of the Keystone client. Since the Kerberos auth plugin is still a work-in-progress, it required a little tweaking, but not all that much.
Continue reading
Testing S4U2Proxy
S4U2Proxy for Horizon
I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy.
Continue reading
running the freeipa CLI from a non-client machine
A developer does things that are at odds with a production deployment. Case in point: the FreeIPA assumes that it should be run on an ipa-client machine. But as a developer, I need to talk to remote FreeIPA servers. Here’s how to make the CLI work without performing a client install.
Continue reading
Keeping DHCP from changing the Nameserver
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf
interface "eth0" {
prepend domain-name-servers 192.168.187.12;
}
This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.
TGT Forwarding and cleanup
Kerberos provides single sign-on. However, if you don’t take care, you will end up having to do a kinit on a remote machine. Not a big deal, but the TGT on the remote machine will not necessarily be cleaned up when you log out.
Kerberizing Keystone in HTTPD
Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:
- Configure Keystone to Run with an LDAP backend
- Configure Keystone to Run in Apache HTTPD
- Register the Keystone server as an Kerberos Client (I use FreeIPA)
- Establish a Kerberized URL for $OS_AUTH_URL
Parameter Names in Java 8
There is a killer feature in Java 8, and it is not Lambdas.