Ntlm/Kerberos authentication in Django
I'm looking for a guide about adding windows authentication support into a django app, particulary OSQA
I'm aware about http://code.google.com/p/python-ntlm/ And also saw this post: http://erny-rev.blogspot.com/2007/11/ntlm-authentication-in-django.html But I'm not a Django-dev, I just want to deploy OSQA in Windows enviroment (intranet, so I need to add windows authentication). So I'm looking for simple step-by-step description.
(I've managed to deploy a OSQA site on windows with SQL Server and it's working)
UPDATE:
I'd like to get not just auth against AD but SSO-like behavior in IE. As a user access my django-based site in IE it'd automaticaly authenticated with its domain account.
Answer
You can do this using Apache, mod_auth_kerb and REMOTE_USER authentication with Django hosted as mod_wsgi.
Here is an example of some config we use:
WSGIDaemonProcess myapp user=myapp group=myapp processes=5 threads=1
WSGIProcessGroup myapp
WSGIScriptAlias /myapp /home/wolapp/code/wolapp.wsgi
<VirtualHost ...>
<Location /myapp>
AuthType Kerberos
AuthName "Domain Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms YOUR.DOMAIN
Krb5Keytab /etc/krb5.keytab
KrbServiceName HTTP/server.your.domain
require valid-user
</Location>
</VirtualHost>
You then need to setup this:
http://docs.djangoproject.com/en/dev/howto/auth-remote-user/
A couple of caveats to note:
- Opera fails completely in our testing; it can't handle the "Negotiate" header
- IE works fine if the machine is in the domain, but if it isn't, you get prompted for your password twice - the first time the machine uses "ITSNAME\username" which fails; the second time the bare "username"
Hope this helps.