47 lines
2.0 KiB
XML
47 lines
2.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="keystone-external-auth">
|
|
<?dbhtml stop-chunking?>
|
|
<title>External authentication with Identity</title>
|
|
<para>When Identity runs in <literal>apache-httpd</literal>, you
|
|
can use external authentication methods that differ from the
|
|
authentication provided by the identity store back end. For
|
|
example, you can use an SQL identity back end together with
|
|
X.509 authentication and Kerberos, instead of using the
|
|
user name and password combination.</para>
|
|
<section xml:id="keystone-httpd-auth">
|
|
<title>Use HTTPD authentication</title>
|
|
<para>Web servers, like Apache HTTP, support many methods of
|
|
authentication. Identity can allow the web server to
|
|
perform the authentication. The web server then passes the
|
|
authenticated user to Identity by using the
|
|
<literal>REMOTE_USER</literal> environment variable.
|
|
This user must already exist in the Identity back end to
|
|
get a token from the controller. To use this method,
|
|
Identity should run on
|
|
<literal>apache-httpd</literal>.</para>
|
|
</section>
|
|
<section xml:id="keystone-x509-auth">
|
|
<title>Use X.509</title>
|
|
<para>The following Apache configuration snippet authenticates
|
|
the user based on a valid X.509 certificate from a known
|
|
CA:</para>
|
|
<programlisting> <VirtualHost _default_:5000>
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/ssl/certs/ssl.cert
|
|
SSLCertificateKeyFile /etc/ssl/private/ssl.key
|
|
|
|
SSLCACertificatePath /etc/ssl/allowed_cas
|
|
SSLCARevocationPath /etc/ssl/allowed_cas
|
|
SSLUserName SSL_CLIENT_S_DN_CN
|
|
SSLVerifyClient require
|
|
SSLVerifyDepth 10
|
|
|
|
(...)
|
|
</VirtualHost></programlisting>
|
|
</section>
|
|
</section>
|