© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
A config section for [token] starts with:
# Allowed authentication methods. Note: You should disable the `external` auth
# method if you are currently using federation. External auth and federation
# both use the REMOTE_USER variable. Since both the mapped and external plugin
# are being invoked to validate attributes in the request environment, it can
# cause conflicts. (list value)
#methods = external,
This value is used for the URL
/v3/auth/tokens
however, the `external` config is really only supposed to be used with /OS-FEDERATION.
If External is specified here, it is to allow a user to do LDAP + Kerberos or some other variation like that, not Federation.
If we don't have external specified, when we set up Federation we need to go and enable here, but that implies it is usable for direct token issue as well, which is incorrect. There is the potential for this to be misconfigured, and allow access when it is not suppose to be provided. That would happen if, say, Kerberos was to be used as a Federation-only protocol, but was then allowed with LDAP, too.