stackoom
  简体   繁体   中英

Single sign on to Django site via remote Active Directory

 原文  2014-11-12 19:52:51       python/ django/ windows/ active-directory/ single-sign-on

Question

I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.

What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.

I understand that this should be done via REMOTE_USER ( https://docs.djangoproject.com/en/dev/howto/auth-remote-user/ ), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?

In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.

The users are all using Windows machines.

2 answers

solution1
 1  2014-12-09 07:57:30

The magic word herefore is kerberos authentication.

Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.

You can then search your LDAP for specific Access Rights or have an own database with special access rights.

Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)

http://wiki.centos.org/HowTos/HttpKerberosAuth

solution2
 0  2017-01-09 19:45:30

Instead of Kerebos, just use LDAP:

  1. enable mod_ldap and mod_authnz_ldap
  2. ask your network admin to create a service account with access to search Active Directory, and then get the "Distinguished Name" and password to bind the service account

  3. add the following lines to your httpd.conf 

     <Location />  AuthName "Please enter your SSO credentials."  AuthBasicProvider ldap  AuthType basic  AuthLDAPUrl "ldap://my.activedirectory.com:389/OU=Offices,DC=activedirectory,DC=com?sAMAccountName"  AuthLDAPBindDN "CN=binding_account,OU=Administrators,DC=activedirectory,DC=com"  AuthLDAPBindPassword <binding password>  AuthLDAPBindAuthoritative off  LDAPReferrals off  Require valid-user </Location>
    1. Follow Django documentation and add RemoteUserMiddleware and RemoteUserBackend to AUTHENTICATION_BACKENDS .

Note, after enabling LDAP, authentication will be handled by Apache, and your sign in will look like this:

Apache LDAP身份验证对话框

For a more detailed answer please read this post on my blog

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Active Directory - Django/Rails Single sign on multiple django sites How do I run a single nosetest via setup.py in the python-active-directory module? Modify an Active Directory User in Django Conditional sign up for internal Django site Single sign-on authentication on Django and Grafana Creating active users via Google Directory API Put Django site in sub directory of another django site Pulling data from external Active Directory in Django django active directory backend no attribute __getitem__
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM