The Long Gray Line
“The Long Gray Line” is a film about a man, fresh off the boat from Ireland in 1898, who becomes an long term fixture at West Point. I had heard of the movie for years, but never watched it before. My...
View ArticleMySQL, Fedora 20, and Devstack
Once again, the moving efforts of OpenStack and Fedora have diverged enough that devstack did not run for me on Fedora 20. Now, while this is something to file a bug about, I like to understand the...
View ArticlePackstack to LDAP
While Packstack makes it easy to get OpenStack up and running, it does not (yet) support joining to an existing Directory (LDAP) server. I went through this recently and here are the steps I followed....
View ArticleClik here to view.
mod_lookup_identity
“Don’t repeat yourself.” This rule is such a core principal in programming it has been reduced to the acronym DRY. Yet, somehow, every web application framework out there ends up with a custom...
View ArticleKeystone and Kerberos
“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.” This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token...
View ArticleClik here to view.
Mapping X509 to Endpoints in OpenStack
Keystone token signing suffers from Highlander Syndrome. When it comes to Token Signers: The Can Be Only One. Specifically, the endpoint running keystoneclient.middleware.auth_token in its stack...
View ArticleKeystone Federation via mod_lookup_identity
In a recent post, I described how I configured a web server to user mod_lookup_identity. Now, I use that configuration to provide a test for the recent Federation work in Keystone. This is a really...
View ArticleParameter Names in Java 8
There is a killer feature in Java 8, and it is not Lambdas. The Bean API has always been one of the most frustrating parts of Java Enterprise coding. The need to to pattern matching on object names has...
View ArticleKerberizing Keystone in HTTPD
Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are: Configure Keystone to Run with an LDAP backend...
View ArticleTGT Forwarding and cleanup
Kerberos provides single sign-on. However, if you don’t take care, you will end up having to do a kinit on a remote machine. Not a big deal, but the TGT on the remote machine will not necessarily be...
View ArticleKeeping DHCP from changing the Nameserver
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified...
View Articlerunning the freeipa CLI from a non-client machine
A developer does things that are at odds with a production deployment. Case in point: the FreeIPA assumes that it should be run on an ipa-client machine. But as a developer, I need to talk to remote...
View ArticleS4U2Proxy for Horizon
I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy. I’ll be following the steps laid out by Alexander Bokovoy. This is a work in...
View ArticleTesting S4U2Proxy
Yesterday I set up a S4U2Proxy configuration for HTTP to HTTP delegation. Today, I tested it. I took Alexander’s approach to testing using CGI. Here’s my test page, that just fetches a token from...
View ArticleClik here to view.
Kerberos, Keystone Client, and S4U2Proxy
Since my eventual goal is to Kerberize Horizon, my next step after getting a CGI solution working was to make use of the Keystone client. Since the Kerberos auth plugin is still a work-in-progress, it...
View ArticleKerberos, Federation, and Horizon
I’ve been looking in to enabling Kerberos for Horizon. Since Horizon passes the Users credentials on to Keystone to get a token, Kerberos requires an additional delegation mechanism. This leads to some...
View ArticleKeystone tox cheat sheet
While I grumbled when run_tests.sh was deprecated with just a terse message to go read the docs about tox, I have since switched over. Here is my quick tox transition tutorial. To list the target...
View ArticleKerberos and Firewalls
Most datacenters block non-standard ports at their firewalls. This includes ports for lesser used protocols. The Kerberos Key Distribution Center (KDC) listens on port 88 (TCP and UDP). Which means...
View ArticleUnattended Install of a FreeIPA Server
As a developer, I install and uninstall the application I’m working on all the time. Back when I was working on FreeIPA full time, I had a couple of functions that I used to do an unattended install...
View ArticleWhy POpen for OpenSSL calls
Many people have questioned why I chose to use popen to call the OpenSSL binary from Keystone and the auth_token middleware. Here is my rationale: Keystone and the other API services in OpenStack are...
View Article
