simplification: remove setting KERBEROS_KEYTAB
The keytab file must be passed using the usual KRB5_KTNAME environment variable to the Django process, no need to use a custom setting for that. For memory syntax is KRB5_KTNAME=FILE:/path/to/keytab
This commit is contained in:
parent
8ea791cf98
commit
c76e9e24e2
7
README
7
README
|
@ -26,13 +26,6 @@ Hostname for retrieving the service key, the correspondig principal will be
|
|||
`HTTP/{KERBEROS_HOSTNAME}@DEFAULT_REAML`, default is `None`. If `None` the hostname
|
||||
from the request will be used.
|
||||
|
||||
`KERBEROS_KEYTAB`
|
||||
-----------------
|
||||
|
||||
File path of the keytab containing the key for the service principal, default
|
||||
is `None`. If `None` the default host keytab will be tried, which should fails
|
||||
since it's usually only readable by root.
|
||||
|
||||
`KERBEROS_BACKEND_CREATE`
|
||||
-------------------------
|
||||
|
||||
|
|
|
@ -8,7 +8,6 @@ class AppSettings(object):
|
|||
'DEFAULT_REALM': None,
|
||||
'SERVICE_PRINCIPAL': '',
|
||||
'HOSTNAME': None,
|
||||
'KEYTAB': None,
|
||||
'KEEP_PASSWORD': False,
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
import kerberos
|
||||
import os
|
||||
|
||||
from django import http
|
||||
from django.template.response import TemplateResponse
|
||||
|
@ -16,37 +15,27 @@ def www_authenticate(request):
|
|||
def login(request):
|
||||
'''Try to authenticate the user using SPNEGO and Kerberos'''
|
||||
next_url = request.REQUEST.get('next') or settings.LOGIN_REDIRECT_URL
|
||||
if app_settings.KEYTAB:
|
||||
old = os.environ.get('KRB5_KTNAME')
|
||||
os.environ['KRB5_KTNAME'] = app_settings.KEYTAB
|
||||
try:
|
||||
host = app_settings.HOSTNAME or request.get_host().split(':')[0]
|
||||
service = 'HTTP@%s' % host
|
||||
host = app_settings.HOSTNAME or request.get_host().split(':')[0]
|
||||
service = 'HTTP@%s' % host
|
||||
|
||||
if 'HTTP_AUTHORIZATION' in request.META:
|
||||
kind, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
|
||||
print authstr
|
||||
if kind == 'Negotiate':
|
||||
result, context = kerberos.authGSSServerInit(service)
|
||||
if result != 1:
|
||||
return TemplateResponse(request, 'django_kerberos/error.html')
|
||||
r = kerberos.authGSSServerStep(context, authstr)
|
||||
if r == 1:
|
||||
gssstring = kerberos.authGSSServerResponse(context)
|
||||
else:
|
||||
return www_authenticate(request)
|
||||
principal = kerberos.authGSSServerUserName(context)
|
||||
kerberos.authGSSServerClean(context)
|
||||
user = authenticate(principal=principal)
|
||||
if user:
|
||||
auth_login(request, user)
|
||||
response = http.HttpResponseRedirect(next_url)
|
||||
response['WWW-Authenticate'] = 'Negotiate %s' % gssstring
|
||||
return response
|
||||
return www_authenticate(request)
|
||||
finally:
|
||||
if app_settings.KEYTAB:
|
||||
if old:
|
||||
os.environ['KRB5_KTNAME'] = old
|
||||
if 'HTTP_AUTHORIZATION' in request.META:
|
||||
kind, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
|
||||
print authstr
|
||||
if kind == 'Negotiate':
|
||||
result, context = kerberos.authGSSServerInit(service)
|
||||
if result != 1:
|
||||
return TemplateResponse(request, 'django_kerberos/error.html')
|
||||
r = kerberos.authGSSServerStep(context, authstr)
|
||||
if r == 1:
|
||||
gssstring = kerberos.authGSSServerResponse(context)
|
||||
else:
|
||||
del os.environ['KRB5_KTNAME']
|
||||
return www_authenticate(request)
|
||||
principal = kerberos.authGSSServerUserName(context)
|
||||
kerberos.authGSSServerClean(context)
|
||||
user = authenticate(principal=principal)
|
||||
if user:
|
||||
auth_login(request, user)
|
||||
response = http.HttpResponseRedirect(next_url)
|
||||
response['WWW-Authenticate'] = 'Negotiate %s' % gssstring
|
||||
return response
|
||||
return www_authenticate(request)
|
||||
|
|
Reference in New Issue