[rhos-list] Keystone + LDAP + TLS
Adam Young
ayoung at redhat.com
Wed Aug 22 01:55:42 UTC 2012
On 08/21/2012 06:07 PM, Jonathan Mills wrote:
> Like any reasonable IT organization, I run a secure LDAP server. It
> will accept anonymous binds, but requires TLS and a valid certificate
> (tls_reqcert = demand).
>
> Now it seems that Essex really only wants to use Keystone for identity
> management.
>
> And Keystone supports LDAP as a backend.
>
> And Keystone uses the python-ldap library, which supports LDAPS or
> LDAP w/ START_TLS.
>
> So quite naturally I want Keystone to authenticate my users, who live
> in LDAP, to nova for me.
>
> However....it does not seem that keystone.conf actually supports the
> configuration declarations to build a secure LDAP connection?
>
> This strikes me as a pretty big deal...
>
LDAP support is new, and is getting more attention now. The predominant
way people seem to be using it is as a read only data store. The other
way is using a local LDAP server that is either passing through to the
remote one or caching a subset of the data.
Simple Bind was the most straightforward and simplest authentication
that could be done. Ideally, we would do something more secure, like
Kerberos.
We need to start a blueprint for LDAP features. LDAPS/StartTLS is one
that has been on my mind for a while now. The obvious first step would
be for the URL to be ldaps:/// instead of ldap:// but that is a
configuration option already supported. We do conn.simple_bind_s.
What else would be required to support it?
More information about the rhos-list
mailing list