© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
5466644
demo site
(Get the code!)
After digging into this, I think I figured out why this is happening.
In the example, I configured keystone to have an external authentication method. This allows users to use x509 certificates to authenticate, offloading the validation of the certificate to apache plugins. The data is then passed into keystone in the form of a request context.
Keystone process the request context using middleware, which executes before the actual code in keystone's authentication API. The middleware determines if the request was authenticated using tokenless authentication methods and fires off a call to the tokenless authentication helper class, which handles its own mapping logic[0]
The auto-provisioning feature was implemented after the x509 authentication plugin. So this was likely due to the fact that there were two mapping implementations, and one wasn't as well known.
We could try and get all protocols using the same mapping implementation moving forward. This would make it so we're less susceptible to these kinds of issues moving forward and makes using x509 more useful.
[0] http://
[1] http://
[2] http://
[3] http://
[4] http://
[5] http://
[6] http://