GSSAPI authentication for Django
Go to file
Agate 20989eca6a
gitea/django-gssapi/pipeline/head There was a failure building this commit Details
Prepare Jenkinsfile for Gitea migration (#74572)
2023-02-20 15:02:56 +01:00
debian first commit 2019-08-23 12:20:49 +02:00
source first commit 2019-08-23 12:20:49 +02:00
src/django_gssapi misc: add more logging and fix logger name 2022-01-13 03:13:49 +01:00
tests tests: add NTLM test 2022-01-13 03:16:07 +01:00
.pylint.rc remove unused import, fix some pylint warnings 2019-08-23 16:01:02 +02:00
COPYING first commit 2019-08-23 12:20:49 +02:00
Jenkinsfile Prepare Jenkinsfile for Gitea migration (#74572) 2023-02-20 15:02:56 +01:00
MANIFEST.in clear warnings from MANIFEST.in 2019-08-23 16:01:02 +02:00
NEWS first commit 2019-08-23 12:20:49 +02:00
README first commit 2019-08-23 12:20:49 +02:00
changelog first commit 2019-08-23 12:20:49 +02:00
compat first commit 2019-08-23 12:20:49 +02:00
control first commit 2019-08-23 12:20:49 +02:00
pylint.sh remove unused import, fix some pylint warnings 2019-08-23 16:01:02 +02:00
rules first commit 2019-08-23 12:20:49 +02:00
setup.py setup.py: change project url 2019-08-23 16:15:07 +02:00
tox.ini tests: add NTLM test 2022-01-13 03:16:07 +01:00

README

GSSAPI authentication for Django
==================================

Provide GSSAPI (SPNEGO) authentication to Django applications.

It's a rewrite of django-kerberos using python-gssapi.

It's only tested with MIT Kerberos 5 using package k5test.

Python 2 and 3, Django >1.8 are supported.

Basic usage
===========

Add this to your project `urls.py`::

    url('^auth/gssapi/', include('django_gssapi.urls')),

And use the default authentication backend, by adding that to your `settings.py` file::

    AUTHENTICATION_BACKENDS = (
        'django_gssapi.backends.GSSAPIBackend',
    )

View
====

django-gssapi provide a base LoginView that you can subclass to get the
behaviour your need, the main extension points are:

- `challenge()` returns the 401 response with the challenge, you should override it
  to show a template explaining the failure,
- `success(user)` it should log the given user and redirect to REDIRECT_FIELD_NAME,
- `get_service_name()` it should return a gssapi.Name for your service, by
  default it returns None, so GSSAPI will match any name available (for example
  with Kerberos it will match any name in your keytab, like
  @HTTP/my.domain.com@).

Settings
========

To make your application use GSSAPI as its main login method::

    LOGIN_URL = 'gssapi-login'

Your application need an environment where the GSSAPI mechanism like Kerberos
will work, for Kerberos it means having a default keytab of creating one and
setting its path in KRB5_KTNAME or you can use `GSSAPI_STORE` with MIT Kerberos
5 and credential store extension to indicate a keytab::

    GSSAPI_STORE = {'keytab': 'FILE:/var/lib/mykeytab'}

You can also force a GSSAPI name for you service with::

    import gssapi

    GSSAPI_NAME = gssapi.Name('HTTP/my.service.com', gssapi.MechType.hostbased_service)

GSSAPI authentication backend
=============================

A dummy backend is provided in `django_gssapi.backends.GSSAPIBackend` it looks
up user with the same username as the GSSAPI name. You should implement it for
your use case.

A custom authentication backend must have the following signature::

    class CustomGSSAPIBackend(object):
        def authenticate(self, request, gssapi_name):
            pass

The parameter `gssapi_name` is a `gssapi.Name` object, it can be casted to
string to get the raw name.

Kerberos username/password backend
==================================

If your users does not have their browser configured for SPNEGO HTTP
authentication you can also provide a classic login/password form which check
passwords using Kerberos. For this use
`django_gssapi.backends.KerberosPasswordBackend`, the username is used as the
raw principal name.


django-rest-framework authentication backend
============================================

To authenticate users with GSSAPI you can use
`django_gssapi.drf.GSSAPIAuthentication`, it uses the configured GSSAPI
authentication backend to find an user and returns the GSSAPI name in
`request.auth`.