GSSAPI authentication for Django
Project description
GSSAPI authentication for Django
Provide GSSAPI (SPNEGO) authentication to Django applications.
It’s a rewrite of django-kerberos using python-gssapi.
It’s only tested with MIT Kerberos 5 using package k5test.
Python 2 and 3, Django >1.8 are supported.
Basic usage
Add this to your project urls.py:
url('^auth/gssapi/', include('django_gssapi.urls')),
And use the default authentication backend, by adding that to your settings.py file:
AUTHENTICATION_BACKENDS = ( 'django_gssapi.backends.GSSAPIBackend', )
View
django-gssapi provide a base LoginView that you can subclass to get the behaviour your need, the main extension points are:
challenge() returns the 401 response with the challenge, you should override it to show a template explaining the failure,
success(user) it should log the given user and redirect to REDIRECT_FIELD_NAME,
get_service_name() it should return a gssapi.Name for your service, by default it returns None, so GSSAPI will match any name available (for example with Kerberos it will match any name in your keytab, like @HTTP/my.domain.com@).
Settings
To make your application use GSSAPI as its main login method:
LOGIN_URL = 'gssapi-login'
Your application need an environment where the GSSAPI mechanism like Kerberos will work, for Kerberos it means having a default keytab of creating one and setting its path in KRB5_KTNAME or you can use GSSAPI_STORE with MIT Kerberos 5 and credential store extension to indicate a keytab:
GSSAPI_STORE = {'keytab': 'FILE:/var/lib/mykeytab'}
You can also force a GSSAPI name for you service with:
import gssapi GSSAPI_NAME = gssapi.Name('HTTP/my.service.com', gssapi.MechType.hostbased_service)
GSSAPI authentication backend
A dummy backend is provided in django_gssapi.backends.GSSAPIBackend it looks up user with the same username as the GSSAPI name. You should implement it for your use case.
A custom authentication backend must have the following signature:
class CustomGSSAPIBackend(object): def authenticate(self, request, gssapi_name): pass
The parameter gssapi_name is a gssapi.Name object, it can be casted to string to get the raw name.
Kerberos username/password backend
If your users does not have their browser configured for SPNEGO HTTP authentication you can also provide a classic login/password form which check passwords using Kerberos. For this use django_gssapi.backends.KerberosPasswordBackend, the username is used as the raw principal name.
django-rest-framework authentication backend
To authenticate users with GSSAPI you can use django_gssapi.drf.GSSAPIAuthentication, it uses the configured GSSAPI authentication backend to find an user and returns the GSSAPI name in request.auth.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_gssapi-1.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fc9eb8d02a37321f310d83d0c2d9ed575d4aedc59246d817dc819fd1da82d00c |
|
MD5 | dcdde5222f7ff51dca49cf9874f85182 |
|
BLAKE2b-256 | 699747e43dea8fc7b79403dd4a840963235b45f1616cd601e35b4606a8326c11 |