keystone - authenticate the end user based on a valid X.509 certificate

asked 2014-07-17 02:26:20 -0600

dejwsz gravatar image

Hello, I've found info how to set up this via apache2 here: (

But I don't know exactly how test it? Does anybody knows for example command line curl examples which show how to test it just by using end user x509 certificate and get end user token? Or just list containers for the end user account? Do I understand it well that end user is obliged to use just x509 certificate and he/she should be able to use keystone/swift without user/password?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-07-17 12:20:21 -0600

updated 2014-07-17 13:03:50 -0600

To do that you need to do the following

1) Configure keystone to run under Apache
2) Configure virtual host of Apache to accept client certs
3) Write your own middleware and  in the middleware set the REMOTE_USER variable  from Apache populated SSL cert varaibles.
edit flag offensive delete link more


Could you point to an example of this middleware? Like dejwsz, I was under the impression that the instructions in external-auth.html should obviate the need for a password. In my SSL-enabled setup, the openstack command-line clients still ask for a password.

crd-u gravatar imagecrd-u ( 2016-08-10 10:37:33 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-07-17 02:25:38 -0600

Seen: 109 times

Last updated: Jul 17 '14