92 lines
2.9 KiB
Plaintext
92 lines
2.9 KiB
Plaintext
GSSAPI authentication for Django
|
|
==================================
|
|
|
|
Provide GSSAPI (SPNEGO) authentication to Django applications.
|
|
|
|
It's a rewrite of django-kerberos using python-gssapi.
|
|
|
|
It's only tested with MIT Kerberos 5 using package k5test.
|
|
|
|
Python 2 and 3, Django >1.8 are supported.
|
|
|
|
Basic usage
|
|
===========
|
|
|
|
Add this to your project `urls.py`::
|
|
|
|
url('^auth/gssapi/', include('django_gssapi.urls')),
|
|
|
|
And use the default authentication backend, by adding that to your `settings.py` file::
|
|
|
|
AUTHENTICATION_BACKENDS = (
|
|
'django_gssapi.backends.GSSAPIBackend',
|
|
)
|
|
|
|
View
|
|
====
|
|
|
|
django-gssapi provide a base LoginView that you can subclass to get the
|
|
behaviour your need, the main extension points are:
|
|
|
|
- `challenge()` returns the 401 response with the challenge, you should override it
|
|
to show a template explaining the failure,
|
|
- `success(user)` it should log the given user and redirect to REDIRECT_FIELD_NAME,
|
|
- `get_service_name()` it should return a gssapi.Name for your service, by
|
|
default it returns None, so GSSAPI will match any name available (for example
|
|
with Kerberos it will match any name in your keytab, like
|
|
@HTTP/my.domain.com@).
|
|
|
|
Settings
|
|
========
|
|
|
|
To make your application use GSSAPI as its main login method::
|
|
|
|
LOGIN_URL = 'gssapi-login'
|
|
|
|
Your application need an environment where the GSSAPI mechanism like Kerberos
|
|
will work, for Kerberos it means having a default keytab of creating one and
|
|
setting its path in KRB5_KTNAME or you can use `GSSAPI_STORE` with MIT Kerberos
|
|
5 and credential store extension to indicate a keytab::
|
|
|
|
GSSAPI_STORE = {'keytab': 'FILE:/var/lib/mykeytab'}
|
|
|
|
You can also force a GSSAPI name for you service with::
|
|
|
|
import gssapi
|
|
|
|
GSSAPI_NAME = gssapi.Name('HTTP/my.service.com', gssapi.MechType.hostbased_service)
|
|
|
|
GSSAPI authentication backend
|
|
=============================
|
|
|
|
A dummy backend is provided in `django_gssapi.backends.GSSAPIBackend` it looks
|
|
up user with the same username as the GSSAPI name. You should implement it for
|
|
your use case.
|
|
|
|
A custom authentication backend must have the following signature::
|
|
|
|
class CustomGSSAPIBackend(object):
|
|
def authenticate(self, request, gssapi_name):
|
|
pass
|
|
|
|
The parameter `gssapi_name` is a `gssapi.Name` object, it can be casted to
|
|
string to get the raw name.
|
|
|
|
Kerberos username/password backend
|
|
==================================
|
|
|
|
If your users does not have their browser configured for SPNEGO HTTP
|
|
authentication you can also provide a classic login/password form which check
|
|
passwords using Kerberos. For this use
|
|
`django_gssapi.backends.KerberosPasswordBackend`, the username is used as the
|
|
raw principal name.
|
|
|
|
|
|
django-rest-framework authentication backend
|
|
============================================
|
|
|
|
To authenticate users with GSSAPI you can use
|
|
`django_gssapi.drf.GSSAPIAuthentication`, it uses the configured GSSAPI
|
|
authentication backend to find an user and returns the GSSAPI name in
|
|
`request.auth`.
|