Auth(n/z) plugin for Django using kerberos + LDAP
Project description
django-kaminarimon
What is it?
django-kaminarimon (or just kaminarimon) is a library for integrating
kerberos authentication and ldap authorization into a Django/DRF application.
While users can independently choose to integrate one or the other, it is designed to use both and use JWTs as interface for client<->server auth.
How to use
For Kerberos authentication
Set kaminarimon.auth.KerberosAuthentication as either:
REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]- Individually at the view level
This will require the client to send a request with the header
Authorization: Negotiate <token> which will initiate the SPNEGO protocol.
If the client does not send the aforementioned header when requesting a view
that requires Kerberos authentication, the WWW-Authenticate is sent back to
the client, signaling that it should use SPNEGO protocol for authentication.
[!TIP] By default the host or service principal will use the service's FQDN, but it can be overridden by setting the
KRB5_HOSTNAMEenvironment variable.
For LDAP authorization
[!NOTE] A lot of the behavior of this authentication backend is currently hardcoded to only work with Red Hat systems.
[!NOTE] Anonymous user access to the LDAP server is required for querying user information.
[!WARNING] Usage of LDAP authorization on its own withour Kerberos authentication is discouraged as it only handles authorization, it does not actually perform any sort of authentication of the user against the LDAP server, i.e. it simply loads the user's groups from the LDAP server.
Simply add the kaminarimon.backend.LDAPRemoteUser to the
AUTHENTICATION_BACKENDS django setting.
Required settings:
AUTH_LDAP_SERVER_URI-- URI to the LDAP serverPUBLIC_READ_GROUPS-- List of names of groups that, if the user is a member of, grant access to the application.SERVICE_MANAGE_GROUP-- Group that denotes a user as staff and/or superuser.
Intended usage (kerberos authentication, ldap authorization)
The same settings, warnings, notes and tips for the previous sections apply.
Ensure kaminarimon.backend.LDAPRemoteUser is in AUTHENTICATION_BACKENDS,
and add kaminarimon.views.krb5_obtain_token_pair_view to your urls.py,
it is through this view that clients will obtain access and refresh JWT.
In order to protect other views with such authentication tokens, simply mark the
authentication method as rest_framework_simplejwt.authentication.JWTAuthentication
or similar as, or set it globally using DEFAULT_AUTHENTICATION_CLASSES.
Running tests
cd tests/
podman compose -f docker-compose.yml up -d
pytest .
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_kaminarimon-0.1.0.tar.gz.
File metadata
- Download URL: django_kaminarimon-0.1.0.tar.gz
- Upload date:
- Size: 5.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.7.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
447147b81390fbfa2ef6ad8c563a410a73eb8985a5b9a027680bab46eedeb9c2
|
|
| MD5 |
b02d1e8915294076116204424aff49fd
|
|
| BLAKE2b-256 |
bb2e372b08f62359b6413394685eca44c66db81c0eb0a6c26da0c972959df9b9
|
File details
Details for the file django_kaminarimon-0.1.0-py3-none-any.whl.
File metadata
- Download URL: django_kaminarimon-0.1.0-py3-none-any.whl
- Upload date:
- Size: 7.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.7.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
00f68c0a49f205741878d761d32a390685eeea68c919e8ad13da861d5d4b9e32
|
|
| MD5 |
305414a96e351029439220d863c90057
|
|
| BLAKE2b-256 |
b792c71bd92a33a2f4d668f7058a2391774f7b1c01643f37cd4b79ceb0a1eaf4
|
