openstack/openstack-manuals
Code Issues Proposed changes
82c5805695
openstack-manuals/doc/common/section_keystone-external-auth.xml
Tom Fifield af9f1ebed7 Tweaks to Identity section of Config Reference 
The Identity Section of the config reference was previously
one big long page, with a single sentence intro.

This patch splits it up by removing the anti-chunking tag and
re-adding it where necessary. It adds a whole second sentence to
the intro.

Change-Id: Ic6aa139b3aba5ba9ee29db7081c38ebca94e73c3
2014-01-10 15:49:56 +08:00

47 lines
2.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="keystone-external-auth"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
<?dbhtml stop-chunking?>
<title>External authentication with the Identity
Service</title>
<para>When the Identity Service runs in <literal>apache-httpd</literal>,
you can use external authentication methods that differ from
the authentication provided by the identity store back-end.
For example, you can use an SQL identity back-end together with
X.509 authentication, Kerberos, and so on instead of using the
user name and password combination.</para>
<section xml:id="keystone-httpd-auth">
<title>Use HTTPD authentication</title>
<para>Web servers, like Apache HTTP, support many methods of
authentication. The Identity Service can allow the web
server to perform the authentication. The web server then
passes the authenticated user to the Identity Service by
using the <literal>REMOTE_USER</literal> environment variable.
This user must already exist in the Identity Service
back-end so as to get a token from the controller. To use
this method, the Identity Service should run on
<literal>apache-httpd</literal>.</para>
</section>
<section xml:id="keystone-x509-auth">
<title>Use X.509</title>
<para>The following Apache configuration snippet authenticates
the user based on a valid X.509 certificate from a known
CA:</para>
<programlisting> &lt;VirtualHost _default_:5000&gt;
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl.cert
SSLCertificateKeyFile /etc/ssl/private/ssl.key
SSLCACertificatePath /etc/ssl/allowed_cas
SSLCARevocationPath /etc/ssl/allowed_cas
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient require
SSLVerifyDepth 10
(...)
&lt;/VirtualHost&gt;</programlisting>
</section>
</section>
View Git Blame Copy Permalink