openstack/openstack-manuals
Code Issues Proposed changes
91340baf0c
openstack-manuals/doc/common/section_keystone-external-auth.xml
Christian Berendt 15ceb92a08 fixed typos found by RETF in common directory 
Just wrote a script like Topy using the RETF rules provided by
Wikipedia. A first test run on the common directory found some
more typos.

The script is available at the following URL at the moment.

https://gist.github.com/berendt/5ae38f2f1d5bd6b883d3

Also updated to active voice and changed <itemizedlist>
to <variablelist>. Removed "In order to" (useless phrase).

Change-Id: I4ecb1927e8291029db9bc0d743a3061138b974c8
2014-05-02 11:46:19 -05:00

46 lines
2.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="keystone-external-auth"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
<?dbhtml stop-chunking?>
<title>External authentication with Identity</title>
<para>When Identity runs in <literal>apache-httpd</literal>, you
can use external authentication methods that differ from the
authentication provided by the identity store back end. For
example, you can use an SQL identity back end together with
X.509 authentication, Kerberos, and so on instead of using the
user name and password combination.</para>
<section xml:id="keystone-httpd-auth">
<title>Use HTTPD authentication</title>
<para>Web servers, like Apache HTTP, support many methods of
authentication. Identity can allow the web server to
perform the authentication. The web server then passes the
authenticated user to Identity by using the
<literal>REMOTE_USER</literal> environment variable.
This user must already exist in the Identity back end to
get a token from the controller. To use this method,
Identity should run on
<literal>apache-httpd</literal>.</para>
</section>
<section xml:id="keystone-x509-auth">
<title>Use X.509</title>
<para>The following Apache configuration snippet authenticates
the user based on a valid X.509 certificate from a known
CA:</para>
<programlisting> &lt;VirtualHost _default_:5000&gt;
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl.cert
SSLCertificateKeyFile /etc/ssl/private/ssl.key
SSLCACertificatePath /etc/ssl/allowed_cas
SSLCARevocationPath /etc/ssl/allowed_cas
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient require
SSLVerifyDepth 10
(...)
&lt;/VirtualHost&gt;</programlisting>
</section>
</section>
View Git Blame Copy Permalink