GSSAPI authentication for Django
Project description
GSSAPI authentication for Django
Provide GSSAPI (SPNEGO) authentication to Django applications.
It’s a rewrite of django-kerberos using python-gssapi.
It’s only tested with MIT Kerberos 5 using package k5test.
Python 2 and 3, Django >1.8 are supported.
Basic usage
Add this to your project urls.py:
url('^auth/gssapi/', include('django_gssapi.urls')),
And use the default authentication backend, by adding that to your settings.py file:
AUTHENTICATION_BACKENDS = ( 'django_gssapi.backends.GSSAPIBackend', )
View
django-gssapi provide a base LoginView that you can subclass to get the behaviour your need, the main extension points are:
challenge() returns the 401 response with the challenge, you should override it to show a template explaining the failure,
success(user) it should log the given user and redirect to REDIRECT_FIELD_NAME,
get_service_name() it should return a gssapi.Name for your service, by default it returns None, so GSSAPI will match any name available (for example with Kerberos it will match any name in your keytab, like @HTTP/my.domain.com@).
Settings
To make your application use GSSAPI as its main login method:
LOGIN_URL = 'gssapi-login'
Your application need an environment where the GSSAPI mechanism like Kerberos will work, for Kerberos it means having a default keytab of creating one and setting its path in KRB5_KTNAME or you can use GSSAPI_STORE with MIT Kerberos 5 and credential store extension to indicate a keytab:
GSSAPI_STORE = {'keytab': 'FILE:/var/lib/mykeytab'}
You can also force a GSSAPI name for you service with:
import gssapi GSSAPI_NAME = gssapi.Name('HTTP/my.service.com', gssapi.MechType.hostbased_service)
GSSAPI authentication backend
A dummy backend is provided in django_gssapi.backends.GSSAPIBackend it looks up user with the same username as the GSSAPI name. You should implement it for your use case.
A custom authentication backend must have the following signature:
class CustomGSSAPIBackend(object): def authenticate(self, request, gssapi_name): pass
The parameter gssapi_name is a gssapi.Name object, it can be casted to string to get the raw name.
Kerberos username/password backend
If your users does not have their browser configured for SPNEGO HTTP authentication you can also provide a classic login/password form which check passwords using Kerberos. For this use django_gssapi.backends.KerberosPasswordBackend, the username is used as the raw principal name.
django-rest-framework authentication backend
To authenticate users with GSSAPI you can use django_gssapi.drf.GSSAPIAuthentication, it uses the configured GSSAPI authentication backend to find an user and returns the GSSAPI name in request.auth.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_gssapi-0.9b2-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 07dcb9525d6a64ff39ba53014d92fbddeb9a293359d0e68ced8a278d033110b9 |
|
MD5 | 56cf656cf255400a10540695a25ff245 |
|
BLAKE2b-256 | 9ba677cc00cfa5d92c0ea0848c693fceebf01b97111707392d30a0e35b759d78 |