@@ -44,8 +44,8 @@ Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public

     WSGIPassAuthorization On

 </Location>

-Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin

-<Location /identity_admin>

+Alias /identity_v2_admin %KEYSTONE_BIN%/keystone-wsgi-admin

+<Location /identity_v2_admin>

     SetHandler wsgi-script

     Options +ExecCGI

@@ -122,8 +122,14 @@ if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then

 fi

 # complete URIs

-KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}

-KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}

+if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then

+    # If running in Apache, use path access rather than port.

+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_v2_admin

+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity

+else

+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}

+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}

+fi

 # V3 URIs

 KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3

@@ -259,7 +265,15 @@ function configure_keystone {

         # Set the service ports for a proxy to take the originals

         service_port=$KEYSTONE_SERVICE_PORT_INT

         auth_port=$KEYSTONE_AUTH_PORT_INT

+    fi

+    # Override the endpoints advertised by keystone (the public_endpoint and

+    # admin_endpoint) so that clients use the correct endpoint. By default, the

+    # keystone server uses the public_port and admin_port which isn't going to

+    # work when you want to use a different port (in the case of proxy), or you

+    # don't want the port (in the case of putting keystone on a path in

+    # apache).

+    if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then

         iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI

         iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI

     fi

@@ -582,7 +596,14 @@ function start_keystone {

     # Check that the keystone service is running. Even if the tls tunnel

     # should be enabled, make sure the internal port is checked using

     # unencryted traffic at this point.

-    if ! wait_for_service $SERVICE_TIMEOUT $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/; then

+    # If running in Apache, use the path rather than port.

+

+    local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/

+    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then

+        service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/

+    fi

+

+    if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then

         die $LINENO "keystone did not start"

     fi

@@ -625,8 +646,8 @@ function bootstrap_keystone {

         --bootstrap-service-name keystone \

         --bootstrap-region-id "$REGION_NAME" \

         --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \

-        --bootstrap-public-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" \

-        --bootstrap-internal-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT"

+        --bootstrap-public-url "$KEYSTONE_SERVICE_URI" \

+        --bootstrap-internal-url "$KEYSTONE_SERVICE_URI"

 }

 # Restore xtrace