117 lines
3.5 KiB
Plaintext
117 lines
3.5 KiB
Plaintext
Kerberos authentication for Django
|
|
==================================
|
|
|
|
Provide Kerberos authentication to Django applications.
|
|
|
|
Basic usage
|
|
===========
|
|
|
|
Add this to your project `urls.py`::
|
|
|
|
url('^accounts/kerberos/', include('django_auth_kerb.urls')),
|
|
|
|
And use the default authentication backend, by adding that to your `settings.py` file::
|
|
|
|
AUTHENTICATION_BACKENDS = (
|
|
'django_auth_kerberos.backends.KerberosBackend',
|
|
)
|
|
|
|
Settings
|
|
========
|
|
|
|
`KERBEROS_HOSTNAME`
|
|
-------------------
|
|
|
|
Hostname for retrieving the service key, the correspondig principal will be
|
|
`HTTP/{KERBEROS_HOSTNAME}@DEFAULT_REAML`, default is `None`. If `None` the hostname
|
|
from the request will be used.
|
|
|
|
`KERBEROS_BACKEND_CREATE`
|
|
-------------------------
|
|
|
|
Whether to create user if no existing model can be found, default is `False`.
|
|
|
|
`KERBEROS_BACKEND_ADMIN_REGEXP`
|
|
-------------------------------
|
|
|
|
A regular expression that the principal must match to get superuser privileges,
|
|
default is `None`. A classic example could be `r'^.*/admin$'`.
|
|
|
|
`KERBEROS_SERVICE_PRINCIPAL`
|
|
-----------------------------------
|
|
|
|
The service principal to use when checking a password against the
|
|
KDC, you don't need the secret key for this principal, it should
|
|
just exist inside the Kerberos database as the check is done by
|
|
trying to get ticket for this service. Default is
|
|
None. It's used only by the pseudo password haser
|
|
and the login/password authentication backend.
|
|
|
|
`KERBEROS_KEEP_PASSWORD`
|
|
------------------------
|
|
|
|
Does the KerbersoPasswordBackend store a hash of the
|
|
checked password inside the user model each time a
|
|
user log in. Default is False. It allows your
|
|
website to provide a backup authentication if
|
|
Kerberos is failing or if you ever need to detach
|
|
from the realm.
|
|
|
|
Custom backend
|
|
==============
|
|
|
|
A custom authentication backend can be used, in this case the signature of the
|
|
authenticate method must be::
|
|
|
|
class CustomKerberosBackend(object):
|
|
def authenticate(self, principal=None):
|
|
pass
|
|
|
|
Sample application
|
|
==================
|
|
|
|
First you need to install django-kerberos into your environment like that::
|
|
|
|
python setup.py install
|
|
|
|
If you want to try the sample application you must add this line to your `/etc/hosts` file, absolutely at the beginning::
|
|
|
|
127.0.0.1 test.example.com
|
|
|
|
Then you must connect to your Kerberos administration server and add the
|
|
principal HTTP/test.example.com and export its key in a keytab file::
|
|
|
|
$ kadmin -p myuser/admin
|
|
kadmin: addprinc -randkey HTTP/test.example.com
|
|
kadmin: ktadd -k /tmp/keytab HTTP/test.example.com
|
|
|
|
Finally you can run the sample::
|
|
|
|
cd sample; KRB5_KTNAME=FILE:/tmp/keytab python ./manage.py runserver
|
|
|
|
Now you should be able to login on http://test.example.com:8000/
|
|
|
|
The sample project is configured so that all principal ending with `/admin` get
|
|
the staff and superuser flags. You can change that by editing the key
|
|
`KERBEROS_BACKEND_ADMIN_REGEXP` in `sample/sample/settings.py`.
|
|
|
|
Pseudo hasher
|
|
=============
|
|
|
|
A pseudo hasher whose import path is `django_kerberos.hashers.KerberosHasher`
|
|
provide a mean to associate a Django user model to a Kerberos identity.
|
|
|
|
The content of the password field must be `kerberos$<principal name>`.
|
|
|
|
To create an user for a principal you can do::
|
|
|
|
User.objects.create(username=new_username, password='kerberos$' + principal)
|
|
|
|
Login/Password backend
|
|
======================
|
|
|
|
If your users does not have their browser configured
|
|
for SPNEGO HTTP authentication you can also provide
|
|
a classic login/password form which check passwords
|
|
using Kerberos.
|