[openstack-dev] extending keystone identity

Simon Perfer simon.perfer at hotmail.com
Mon Jan 27 21:27:47 UTC 2014

I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication.
I based my original driver on what's found here:
As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far:

CONF = config.CONFLOG = logging.getLogger(__name__)
class Identity(sql.Identity):    def __init__(self):        super(Identity, self).__init__()        LOG.debug('My authentication module loaded')
    def _check_password(self, password, user_ref):        LOG.debug('Authenticating via my custom hybrid authentication')
        username = user_ref.get('name')

        LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password() function.
Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140127/47135a1f/attachment.html>

More information about the OpenStack-dev mailing list