<div dir="ltr"><div>_check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this:</div><div><br></div><div> def authenticate(self, user_id, password, domain_scope=None):</div>
<div> if user_id in SPECIAL_LIST_OF_USERS:</div><div> # compare against value from keystone.conf</div><div> pass</div><div> else:</div><div> return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope)</div>
<div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer <span dir="ltr"><<a href="mailto:simon.perfer@hotmail.com" target="_blank">simon.perfer@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div dir="ltr"><div><span style="font-size:12pt">I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication.</span></div>
<div><br></div><div>I based my original driver on what's found here:</div><div><br></div><div><a href="http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/" target="_blank">http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/</a></div>
<div><br></div><div>As can be seen in the github code (<a href="https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py" style="font-size:12pt" target="_blank">https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py</a>), there's a _check_password() method which is supposedly called at some point.</div>
<div><br></div><div>I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far:</div><div><br></div><div>
<p>CONF = config.CONF</p><p>LOG = logging.getLogger(__name__)</p><p><br></p><p>class Identity(sql.Identity):</p><p> def __init__(self):</p><p> super(Identity, self).__init__()</p><p> LOG.debug('My authentication module loaded')</p>
<p><br></p><p> def _check_password(self, password, user_ref):</p><p> LOG.debug('Authenticating via my custom hybrid authentication')</p><p><br></p><p> username = user_ref.get('name')</p><p>
</p><p> LOG.debug('Username = %s' % username)</p><p><br></p><p>I can see from the syslog output that we never enter the _check_password() function.</p></div><div><br></div><div>Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above?</div>
<div><br></div><div>THANKS!</div> </div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>