Kerberos authentication for Django
Project description
Kerberos authentication for Django
Provide Kerberos authentication to Django applications.
Basic usage
Add this to your project urls.py:
url('^accounts/kerberos/', include('django_auth_kerb.urls')),
And use the default authentication backend, by adding that to your settings.py file:
AUTHENTICATION_BACKENDS = (
'django_auth_kerberos.backends.KerberosBackend',
)
Settings
KERBEROS_HOSTNAME
Hostname for retrieving the service key, the correspondig principal will be HTTP/{KERBEROS_HOSTNAME}@DEFAULT_REAML, default is None. If None the hostname from the request will be used.
KERBEROS_BACKEND_CREATE
Whether to create user if no existing model can be found, default is False.
KERBEROS_BACKEND_ADMIN_REGEXP
A regular expression that the principal must match to get superuser privileges, default is None. A classic example could be r’^.*/admin$’.
KERBEROS_SERVICE_PRINCIPAL
The service principal to use when checking a password against the KDC, you don’t need the secret key for this principal, it should just exist inside the Kerberos database as the check is done by trying to get ticket for this service. Default is None. It’s used only by the pseudo password haser and the login/password authentication backend.
KERBEROS_KEEP_PASSWORD
Does the KerbersoPasswordBackend store a hash of the checked password inside the user model each time a user log in. Default is False. It allows your website to provide a backup authentication if Kerberos is failing or if you ever need to detach from the realm.
Custom backend
A custom authentication backend can be used, in this case the signature of the authenticate method must be:
class CustomKerberosBackend(object):
def authenticate(self, principal=None):
pass
Sample application
First you need to install django-kerberos into your environment like that:
python setup.py install
If you want to try the sample application you must add this line to your /etc/hosts file, absolutely at the beginning:
127.0.0.1 test.example.com
Then you must connect to your Kerberos administration server and add the principal HTTP/test.example.com and export its key in a keytab file:
$ kadmin -p myuser/admin kadmin: addprinc -randkey HTTP/test.example.com kadmin: ktadd -k /tmp/keytab HTTP/test.example.com
Finally you can run the sample:
cd sample; KRB5_KTNAME=FILE:/tmp/keytab python ./manage.py runserver
Now you should be able to login on http://test.example.com:8000/
The sample project is configured so that all principal ending with /admin get the staff and superuser flags. You can change that by editing the key KERBEROS_BACKEND_ADMIN_REGEXP in sample/sample/settings.py.
Pseudo hasher
A pseudo hasher whose import path is django_kerberos.hashers.KerberosHasher provide a mean to associate a Django user model to a Kerberos identity.
The content of the password field must be kerberos$<principal name>.
To create an user for a principal you can do:
User.objects.create(username=new_username, password='kerberos$' + principal)
Login/Password backend
If your users does not have their browser configured for SPNEGO HTTP authentication you can also provide a classic login/password form which check passwords using Kerberos.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
