Freeipa / kerberos support

Hi all,

we are trying to setup kerberos based authentication with an freeipa backend and would like some feedback or other suggestions.

we are in particular trying to avoid any password typed by the user (except for kinit).

there are 2 things we’d like to get from freeipa to use in ONE:

a. get the users known to ONE. i think we might want to consider writing some code here to get the internal database in sync with ipa (users and their pub ssh keys, as those are also known in ipa). although we could get krb5-based LDAP working, i don’t think the ONE ldap method supports the concept of user ssh keys from ldap.
but the ssh keys are more a nice to have, i don’t think ssh-auth login will be used that much, maybe we can even use krb5-based ssh for that; and for contextualisation, we could create custom scripts to set all keys. so maybe krb5-based LDAP after all :wink:

b. authentication: reading through the docs, i think the best way forward is to run sunstone via apache, and then using, let the user login and have sunstone with cloud server ( connect to the ONE backend on behalf of the user.

many thanks for any feedback!


I think this can be done creating a new auth driver that checks if the password sent is a valid token for that user. You can use as an example ldap or even plain drivers. The workflow for login would be:

  • use kinit to get a new token
  • update one_auth and write the new token

None of the auth drivers get any more information than correct password and the groups a user belongs to (only ldap). That information synchronization must be done by an external method.

Sunstone can use apache to authenticate with X509. I don’t know what it means to add a new auth method but you can take a look at it in this directory:

Hi Javi

Thanks a lot for your feedback. In fact we are playing around with the Sunstone kerberization, and it works!
For our tests we have modified X509CloudAuth.rb because is quite similar to x509 auth, instead an user DN we gather REMOTE_USER from apache env. In our case:

remote_user = env[‘REMOTE_USER’]


username = get_username(remote_user)

That’s it! the authentication is done by apache and we trust in this user, we only need to include it in our db (we use x509 auth as well)

$ oneuser create username ‘username@DOMAIN’ --x509

We include the REMOTE_USER value into users password in plain text (I think that’s safe… you use the same procedure to match users DNs)

In our test Sunstone is running as standalone service and configured to use passenger and kerberos. I don’t know if this feature could be useful to someone else, I will try to include a new :auth: to configure sunstone to avoid to use x509… maybe remote? RemoteCloudAuth.rb, REMOTE_USER is used by kerberos and many SSOs to auth user from apache. If so we can create a new PR or even an addon to include it in opennebula.

Cheers and thanks