mixing authentication methods within a domain
I'm trying to figure out if it is possible with Juno Keystone to do the following:
Have a domain with a domain specific keystone.domain-name.conf file which points to a particular idp (for example ldap, or some custom built identity driver)
But allow users to user EITHER external auth or password auth in that domain. Not both.
For example, say my identity driver points to an LDAP configuration. But I have a special admin that I want to authenticate with say x509 client certificates.
Can I have essentially this in the conf file: methods=external, password
But...
I want all regular users to be able to authenticate with password, which will go against the LDAP backend. But I want the admin user to exclusively be authenticatable through x509. I don't want him to have a password, or have to set his password to some bogus value that potentially could be modified.
I think the 2 methods can coexist but that there is no way to target certain users to be forced to use one auth method versus the other, am I wrong?