
<html>

<head>

<style><!--

.hmmessage P

{

margin:0px;

padding:0px

}

body.hmmessage

{

font-size: 12pt;

font-family:Calibri

}

--></style></head>

<body class='hmmessage'><div dir='ltr'>Thanks Adam. We played around with domains without success. There's a rather complex reason why given our existing OpenStack environment.<div><br></div><div>I'm still hoping that it will be simple enough to extend an existing driver. I'd also love to learn how to code my own driver for some more complex authentication projects we have coming down the pipe.</div><div><div><br><div><hr id="stopSpelling">Date: Tue, 28 Jan 2014 15:42:29 -0500<br>From: ayoung@redhat.com<br>To: openstack-dev@lists.openstack.org<br>Subject: Re: [openstack-dev] extending keystone identity<br><br>

  
    <div class="ecxmoz-cite-prefix">Use two separate domains for them. 

      Make the userids be "uuid@domainid"  to be able distinguish one

      from the other.<br>

      <br>

      <br>

      On 01/27/2014 04:27 PM, Simon Perfer wrote:<br>

    </div>

    <blockquote cite="mid:SNT147-W47EEC32A2A2C76B71AB79581A20@phx.gbl">

      <style><!--

.ExternalClass .ecxhmmessage P {

padding:0px;

}


.ExternalClass body.ecxhmmessage {

font-size:12pt;

font-family:Calibri;

}


--></style>

      <div dir="ltr">

        <div><span style="font-size:12pt;">I'm looking to create a

            simple Identity driver that will look at usernames. A small

            number of specific users should be authenticated by looking

            at a hard-coded password in keystone.conf, while any other

            users should fall back to LDAP authentication.</span></div>

        <div><br>

        </div>

        <div>I based my original driver on what's found here:</div>

        <div><br>

        </div>

        <div><a href="http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/" target="_blank">http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/</a></div>

        <div><br>

        </div>

        <div>As can be seen in the github code (<a href="https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py" target="_blank" style="font-size:12pt;">https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py</a>),

          there's a _check_password() method which is supposedly called

          at some point.</div>

        <div><br>

        </div>

        <div>I've based my driver on this ldapauth.py file, and created

          an Identity class which subclasses sql.Identity. Here's what I

          have so far:</div>

        <div><br>

        </div>

        <div>

          <p class="ecxp1">CONF = config.CONF</p>

          <p class="ecxp1">LOG = logging.getLogger(__name__) Roles should

            also be scopeed-able</p>

          <p class="ecxp2"><br>

          </p>

          <p class="ecxp1">class Identity(sql.Identity):</p>

          <p class="ecxp1">    def __init__(self):</p>

          <p class="ecxp1">        super(Identity, self).__init__()</p>

          <p class="ecxp1">        LOG.debug('My authentication module

            loaded')</p>

          <p class="ecxp2"><br>

          </p>

          <p class="ecxp1">    def _check_password(self, password,

            user_ref):</p>

          <p class="ecxp1">        LOG.debug('Authenticating via my custom

            hybrid authentication')</p>

          <p class="ecxp2"><br>

          </p>

          <p class="ecxp1">        username = user_ref.get('name')</p>

          <p class="ecxp1">

          </p>

          <p class="ecxp1">        LOG.debug('Username = %s' % username)</p>

          <p class="ecxp1"><br>

          </p>

          <p class="ecxp1">I can see from the syslog output that we never

            enter the _check_password() function.</p>

        </div>

        <div><br>

        </div>

        <div>Can someone point me in the right direction regarding which

          function calls the identity driver? Also, what is the entry

          function in the identity drivers? Why wouldn't

          check_password() be called, as we see in the github / blog

          example above?</div>

        <div><br>

        </div>

        <div>THANKS!</div>

      </div>

      <br>

      <fieldset class="ecxmimeAttachmentHeader"></fieldset>

      <br>

      <pre>_______________________________________________

OpenStack-dev mailing list

<a class="ecxmoz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>

<a class="ecxmoz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  
<br>_______________________________________________

OpenStack-dev mailing list

OpenStack-dev@lists.openstack.org

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</div></div></div>                                     </div></body>

</html>