[openstack-dev] extending keystone identity

Simon Perfer simon.perfer at hotmail.com
Tue Jan 28 21:30:52 UTC 2014

Thanks Adam. We played around with domains without success. There's a rather complex reason why given our existing OpenStack environment.
I'm still hoping that it will be simple enough to extend an existing driver. I'd also love to learn how to code my own driver for some more complex authentication projects we have coming down the pipe.
Date: Tue, 28 Jan 2014 15:42:29 -0500
From: ayoung at redhat.com
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity

    Use two separate domains for them. 
      Make the userids be "uuid at domainid"  to be able distinguish one
      from the other.



      On 01/27/2014 04:27 PM, Simon Perfer wrote:

        I'm looking to create a
            simple Identity driver that will look at usernames. A small
            number of specific users should be authenticated by looking
            at a hard-coded password in keystone.conf, while any other
            users should fall back to LDAP authentication.

        I based my original driver on what's found here:


        As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
          there's a _check_password() method which is supposedly called
          at some point.

        I've based my driver on this ldapauth.py file, and created
          an Identity class which subclasses sql.Identity. Here's what I
          have so far:

          CONF = config.CONF
          LOG = logging.getLogger(__name__) Roles should
            also be scopeed-able

          class Identity(sql.Identity):
              def __init__(self):
                  super(Identity, self).__init__()
                  LOG.debug('My authentication module

              def _check_password(self, password,
                  LOG.debug('Authenticating via my custom
            hybrid authentication')

                  username = user_ref.get('name')
                  LOG.debug('Username = %s' % username)

          I can see from the syslog output that we never
            enter the _check_password() function.

        Can someone point me in the right direction regarding which
          function calls the identity driver? Also, what is the entry
          function in the identity drivers? Why wouldn't
          check_password() be called, as we see in the github / blog
          example above?



OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org



OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140128/ba4fda75/attachment.html>

More information about the OpenStack-dev mailing list