Kerberos authentication backend for Python Social Auth
Project description
This package provides Kerberos backend for Python Social Auth. It can be used to enable passwordless authentication inside a Django app or any other application that supports Python Social Auth. This is a pure Python implementation which doesn’t depend on Apache mod_auth_kerb.
Installation
To install:
pip install social-auth-kerberos
WARNING: you will need gcc, Python and kerberos devel packages to build the gssapi dependency because it doesn’t provide binary packages. Try dnf install gcc krb5-devel python3-devel (Red Hat/Fedora) or apt-get install gcc libkrb5-dev libpython3-dev (Debian/Ubuntu).
Configuration
Configure Python Social Auth and then make sure you have the following settings enabled:
AUTHENTICATION_BACKENDS = [
'social_auth_kerberos.backend.KerberosAuth',
'django.contrib.auth.backends.ModelBackend',
]
SOCIAL_AUTH_KRB5_KEYTAB = '/Kiwi/your-application.keytab'
IMPORTANT:
The principal name for your Kiwi TCMS web service must be HTTP/<fqdn.example.com>@REALM.EXAMPLE.COM where fqdn.example.com is the domain name of the Kiwi TCMS server and REALM.EXAMPLE.COM is the Kerberos realm that is used in your organization.
/Kiwi/your-application.keytab is the keytab file for your web app principal! If you install this inside a Docker container make sure to chown 1001:root!
Pipeline configuration
Python Social Auth, and by extension this plugin, will create new user accounts upon first access of the web interface. In Kiwi TCMS users need to either be in the special group Tester or have sufficient permissions to add/edit/delete objects.
You can automatically assign new accounts to the Tester group if you append social_auth_kerberos.pipeline.initiate_defaults to the end of the SOCIAL_AUTH_PIPELINE setting.
WARNING: this is not done for you automatically because some administrators may want to employ different behaviour for newly registered accounts!
Kerberos configuration
For more information about Kerberos see:
or check out tests/Dockerfile.kerberos.
Changelog
v0.3.0 (17 Dec 2023)
Update gssapi from 1.6.12 to 1.8.3
Update social-auth-core from 4.0.1 to 4.5.1
Document the need to compile gssapi. Fixes Issue #3
Build and test with Python 3.11, Kiwi TCMS v12.7
Remove unused import
v0.2.4 (24 Mar 2020)
Add social_auth_kerberos.pipeline with function to initialize default permissions for newly created accounts. See section Pipeline configuration
Update README with more information how to configure this plugin
Enable integration testing with Kerberos and coverage collection
v0.2.3 (22 Mar 2020)
Keep a reference to current user before checking anything else. Resolves a crash for clients which know that the server is Kerberos enabled and directly send the Authorization header
Be more tolerant to authorization request headers which don’t match RFC-4459, section 4.2
v0.2.2 (10 Nov 2019)
Pin license version to GPLv2 for Tidelift
v0.2.1 (10 Dec 2018)
Initial release
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for social-auth-kerberos-0.3.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1d405dda23fb3263b2385f5d8013e43995b7960222ba8841593161b331011c2a |
|
| MD5 | 57229e77d5e503282416df9ea43cbf7a |
|
| BLAKE2b-256 | dc4bfe3b545a293688ac38502a760b6eec98d8429aafeb0412050e0f2567b8a7 |
Hashes for social_auth_kerberos-0.3.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cd6cad046b7286ce9f25d7ceec406398e31dc0ba3968a7810b31f612d365fbcc |
|
| MD5 | f5a5bd8ca17557421e801e38f498edf5 |
|
| BLAKE2b-256 | ee729167a131b645ed69212121d3e6244d59b2cd0fbc58fcdc07534c87f53ca4 |
