> You can use a token to get a token. Look at the authenticate code in > keystone/service.py > > Have the user initially get a non-tenant specific token. Pass that in the > x-auth header to POST /tokens/ along with a tenantid and you will get a new > one scoped to the tenant >
Ah. This is perfect, thanks! >> I'm using the LDAP backend. I'm assuming I'm going to have to modify >> the authenticate method to handle this. Would doing this be enough to >> make this work, or will I need to patch more extensively for this >> solution? > > > Tokens are not stored in LDAP. There are separate back ends for: identity, > tokens, and service catalog. LDAP is only wired up for Identity. For > Token, the default is KVS, which is in memory only. You probably want to use > memcached or SQL for the token back end, otherwise a reboot of the keystone > server will lose you all the tokens. > I was planning on hacking in a method of pulling a long-lived token from LDAP, but your previous comment makes that unneeded. - Ryan _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp