When Keystone is executed in apache-httpd it is possible to use external authentication methods different from the authentication provided by the identity store backend. For example, this makes possible to use a SQL identity backend together with X.509 authentication, Kerberos, etc. instead of using the username/password combination.

Webservers like Apache HTTP support many methods of authentication. Keystone can profit from this feature and let the authentication be done in the webserver, that will pass down the authenticated user to Keystone using the REMOTE_USER environment variable. This user must exist in advance in the identity backend so as to get a token from the controller. To use this method, OpenStack Identity should be running on apache-httpd.

The following snippet for the Apache conf will authenticate the user based on a valid X.509 certificate from a known CA: <VirtualHost _default_:5000> SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl.cert SSLCertificateKeyFile /etc/ssl/private/ssl.key SSLCACertificatePath /etc/ssl/allowed_cas SSLCARevocationPath /etc/ssl/allowed_cas SSLUserName SSL_CLIENT_S_DN_CN SSLVerifyClient require SSLVerifyDepth 10 (...) </VirtualHost>