Yesterday I set up a S4U2Proxy configuration for HTTP to HTTP delegation. Today, I tested it.
Testing S4U2Proxy
Reply
S4U2Proxy for Horizon
I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy.
Continue reading
running the freeipa CLI from a non-client machine
A developer does things that are at odds with a production deployment. Case in point: the FreeIPA assumes that it should be run on an ipa-client machine. But as a developer, I need to talk to remote FreeIPA servers. Here’s how to make the CLI work without performing a client install.
Continue reading
Keeping DHCP from changing the Nameserver
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf
interface "eth0" {
prepend domain-name-servers 192.168.187.12;
}
This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.
TGT Forwarding and cleanup
Kerberos provides single sign-on. However, if you don’t take care, you will end up having to do a kinit on a remote machine. Not a big deal, but the TGT on the remote machine will not necessarily be cleaned up when you log out.
Kerberizing Keystone in HTTPD
Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:
- Configure Keystone to Run with an LDAP backend
- Configure Keystone to Run in Apache HTTPD
- Register the Keystone server as an Kerberos Client (I use FreeIPA)
- Establish a Kerberized URL for $OS_AUTH_URL
Parameter Names in Java 8
There is a killer feature in Java 8, and it is not Lambdas.
Keystone Federation via mod_lookup_identity
In a recent post, I described how I configured a web server to user mod_lookup_identity. Now, I use that configuration to provide a test for the recent Federation work in Keystone. This is a really rough proof of concept; do not expect to be able to use this in your production environments yet.
Continue reading
Mapping X509 to Endpoints in OpenStack
Keystone token signing suffers from Highlander Syndrome. When it comes to Token Signers:
Keystone and Kerberos
“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”
This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.