Re: [openstack-dev] extending keystone identity
Thanks again, Dolph. First, is there some good documentation on how to write a custom driver? I'm wondering specifically about how a keystone user-list is mapped to a specific function in identity/backend/mydriver.py. I suppose this mapping is why I was getting the 500 error about the action not being implemented. Secondly, before poking around with writing a custom driver, I was decided to simply inherit ldap.Identity, as follows: class Identity(ldap.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password): LOG.debug('in auth function') When I get a list of users, I never get the debug output. Further, I removed the authenticate method from the Identity class in ldap.py and list-users STILL worked. Unsure how this is possible. It seems we're never hitting the authenticate method, which is why overriding it in my custom driver doesn't make much of a difference in reaching my goal for local users. Is there another method I'm supposed to be overriding? I appreciate the help -- I know these are likely silly questions to seasoned keystone developers. From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 22:35:18 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity From your original email, it sounds like you want to extend the existing LDAP identity driver implementation, rather than writing a custom driver from scratch, which is what you've written. The TemplatedCatalog driver sort of follows that pattern with the KVS catalog driver, although it's not a spectacular example. On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.com wrote: I dug a bit more and found this in the logs: (keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have requested has not been implemented. Despite basing my (super simple) code on the SQL or LDAP backends, I must be doing something wrong. -- I've placed my backend code in /usr/share/pyshared/keystone/identity/backends/nicira.py or /usr/share/pyshared/keystone/common/nicira.py -- I DO see the my authenticate module loaded in the log I would appreciate any help in figuring out what I'm missing. Thanks! From: simon.per...@hotmail.com To: openstack-dev@lists.openstack.org Date: Mon, 27 Jan 2014 21:58:43 -0500 Subject: Re: [openstack-dev] extending keystone identity Dolph, I appreciate the response and pointing me in the right direction. Here's what I have so far: imports here CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(identity.Driver): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password, domain_scope=None): LOG.debug('in authenticate method') When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log). Any thoughts on why I'm not hitting this method? From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 18:14:50 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity _check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf passelse:return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication
Re: [openstack-dev] extending keystone identity
Use two separate domains for them. Make the userids be uuid@domainid to be able distinguish one from the other. On 01/27/2014 04:27 PM, Simon Perfer wrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) Roles should also be scopeed-able class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
Thanks Adam. We played around with domains without success. There's a rather complex reason why given our existing OpenStack environment. I'm still hoping that it will be simple enough to extend an existing driver. I'd also love to learn how to code my own driver for some more complex authentication projects we have coming down the pipe. Date: Tue, 28 Jan 2014 15:42:29 -0500 From: ayo...@redhat.com To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity Use two separate domains for them. Make the userids be uuid@domainid to be able distinguish one from the other. On 01/27/2014 04:27 PM, Simon Perfer wrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) Roles should also be scopeed-able class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
On Tue, Jan 28, 2014 at 12:54 PM, Simon Perfer simon.per...@hotmail.comwrote: Thanks again, Dolph. First, is there some good documentation on how to write a custom driver? I'm wondering specifically about how a keystone user-list is mapped to a specific function in identity/backend/mydriver.py. I believe it's calling list_users() in your implementation of the Driver interface (or raising Not Implemented from the Driver abstract base class itself). I suppose this mapping is why I was getting the 500 error about the action not being implemented. (501 Not Implemented - 500 is for unhandled exceptions) Secondly, before poking around with writing a custom driver, I was decided to simply inherit ldap.Identity, as follows: class Identity(ldap.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password): LOG.debug('in auth function') The basic structure of that looks good to me. def __init__(self, *args, **kwargs): super(Identity, self).__init__(*args, **kwargs) When I get a list of users, I never get the debug output. What debug output are you expecting? The above code snippet doesn't override list_users(), so I wouldn't expect any output, except what ldap.Identity already provides. Further, I removed the authenticate method from the Identity class in ldap.py and list-users STILL worked. Unsure how this is possible. It seems we're never hitting the authenticate method, which is why overridin it in my custom driver doesn't make much of a difference in reaching my goal for local users. Correct - list_users() shouldn't require authenticate() ... or vice versa. Is there another method I'm supposed to be overriding? Not if you only want to change the behavior of authentication. list_users() should only called by the administrative API. I appreciate the help -- I know these are likely silly questions to seasoned keystone developers. -- From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 22:35:18 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity From your original email, it sounds like you want to extend the existing LDAP identity driver implementation, rather than writing a custom driver from scratch, which is what you've written. The TemplatedCatalog driver sort of follows that pattern with the KVS catalog driver, although it's not a spectacular example. On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.comwrote: I dug a bit more and found this in the logs: (keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have requested has not been implemented. Despite basing my (super simple) code on the SQL or LDAP backends, I must be doing something wrong. -- I've placed my backend code in /usr/share/pyshared/keystone/identity/backends/nicira.py or /usr/share/pyshared/keystone/common/nicira.py -- I DO see the my authenticate module loaded in the log I would appreciate any help in figuring out what I'm missing. Thanks! -- From: simon.per...@hotmail.com To: openstack-dev@lists.openstack.org Date: Mon, 27 Jan 2014 21:58:43 -0500 Subject: Re: [openstack-dev] extending keystone identity Dolph, I appreciate the response and pointing me in the right direction. Here's what I have so far: imports here CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(identity.Driver): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password, domain_scope=None): LOG.debug('in authenticate method') When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log). Any thoughts on why I'm not hitting this method? -- From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 18:14:50 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity _check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf pass else: return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any
[openstack-dev] extending keystone identity
I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONFLOG = logging.getLogger(__name__) class Identity(sql.Identity):def __init__(self):super(Identity, self).__init__()LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf pass else: return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code ( https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction. Here's what I have so far: imports here CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(identity.Driver): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password, domain_scope=None): LOG.debug('in authenticate method') When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log). Any thoughts on why I'm not hitting this method? From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 18:14:50 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity _check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf passelse:return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
I dug a bit more and found this in the logs: (keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have requested has not been implemented. Despite basing my (super simple) code on the SQL or LDAP backends, I must be doing something wrong. -- I've placed my backend code in /usr/share/pyshared/keystone/identity/backends/nicira.py or /usr/share/pyshared/keystone/common/nicira.py -- I DO see the my authenticate module loaded in the log I would appreciate any help in figuring out what I'm missing. Thanks! From: simon.per...@hotmail.com To: openstack-dev@lists.openstack.org Date: Mon, 27 Jan 2014 21:58:43 -0500 Subject: Re: [openstack-dev] extending keystone identity Dolph, I appreciate the response and pointing me in the right direction. Here's what I have so far: imports here CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(identity.Driver): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password, domain_scope=None): LOG.debug('in authenticate method') When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log). Any thoughts on why I'm not hitting this method? From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 18:14:50 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity _check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf passelse:return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code (https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
From your original email, it sounds like you want to extend the existing LDAP identity driver implementation, rather than writing a custom driver from scratch, which is what you've written. The TemplatedCatalog driver sort of follows that pattern with the KVS catalog driver, although it's not a spectacular example. On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.comwrote: I dug a bit more and found this in the logs: (keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have requested has not been implemented. Despite basing my (super simple) code on the SQL or LDAP backends, I must be doing something wrong. -- I've placed my backend code in /usr/share/pyshared/keystone/identity/backends/nicira.py or /usr/share/pyshared/keystone/common/nicira.py -- I DO see the my authenticate module loaded in the log I would appreciate any help in figuring out what I'm missing. Thanks! -- From: simon.per...@hotmail.com To: openstack-dev@lists.openstack.org Date: Mon, 27 Jan 2014 21:58:43 -0500 Subject: Re: [openstack-dev] extending keystone identity Dolph, I appreciate the response and pointing me in the right direction. Here's what I have so far: imports here CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(identity.Driver): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def authenticate(self, user_id, password, domain_scope=None): LOG.debug('in authenticate method') When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log). Any thoughts on why I'm not hitting this method? -- From: dolph.math...@gmail.com Date: Mon, 27 Jan 2014 18:14:50 -0600 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] extending keystone identity _check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: # compare against value from keystone.conf pass else: return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope) On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote: I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication. I based my original driver on what's found here: http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/ As can be seen in the github code ( https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py), there's a _check_password() method which is supposedly called at some point. I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far: CONF = config.CONF LOG = logging.getLogger(__name__) class Identity(sql.Identity): def __init__(self): super(Identity, self).__init__() LOG.debug('My authentication module loaded') def _check_password(self, password, user_ref): LOG.debug('Authenticating via my custom hybrid authentication') username = user_ref.get('name') LOG.debug('Username = %s' % username) I can see from the syslog output that we never enter the _check_password() function. Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above? THANKS! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev