Django with Windows Integrated Security / SSPI

[Rui Da Costa]

Hi All, I've got Django 1.0 Alpha up and running with a basic app using mod_python under Apache. I intend to host on a windows server (restriction for now), and would like to use SSPI/windows integrated security - so that i can use windows for authentication and group membership information. I know there's a mod_sspi for Apache, and i've seen the documentation for plugging in custom auth backends - but has anyone had success putting this together or does anyone know of any work being done on this in the past? 'cause i'm not having much success googling for this so far. Thanks in advance for any leads... RuiDC

[Ramiro Morales]

Take a look to the patch attached to ticket #689 that covers is exactly this
kind of situation (nanely, when the authentication is handled at the
web server).

If you test the patch, please post your experiences to the list.

Regards,

--
Ramiro Morales

[ruidc]

Thanks for your reply - i'd come across ticket 689 searching the
code & comments for kerberos on a hunch ;)

I think the comments and code assume a level of knowledge are quite a
few levels above my current level....

However i see you've done some work on this yourself.

If you have any examples of how you put it all together, i'm more than
happy to test it and refine the documentation around it for others, as
i'll definitely need this to take Django into pre-production testing.

Also, from your comments on
http://groups.google.com/group/django-developers/browse_thread/thread/44104954ebaa219a/4fd066030cf23bfe?hl=en&lnk=gst#4fd066030cf23bfe

you used mod_wsgi - (instead of mod_python) was this out of preference
or necessity with regards to this particular ticket?

Best Regards,
RuiDC

On Aug 4, 2:22 am, "Ramiro Morales" <cra...@gmail.com> wrote:

[koenb]

On 4 aug, 10:25, ruidc <ruidc.ru...@gmail.com> wrote:
> Thanks for your reply - i'd come across   ticket 689 searching the
> code & comments for kerberos on a hunch ;)
>
> I think the comments and code assume a level of knowledge are quite a
> few levels above my current level....
>
> However i see you've done some work on this yourself.
>
> If you have any examples of how you put it all together, i'm more than
> happy to test it and refine the documentation around it for others, as
> i'll definitely need this to take Django into pre-production testing.
>

> Also, from your comments onhttp://groups.google.com/group/django-developers/browse_thread/thread...

>
> you used mod_wsgi - (instead of mod_python) was this out of preference
> or necessity with regards to this particular ticket?
>
> Best Regards,
> RuiDC
>

Hi RuiDC,

you can do this just as easily with mod_python if you like.
Say you're using apache with mod_auth_sspi (don't forget to include
that one), you just do something like this:

<Location "/">
AuthName "MYDOMAIN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain "MYDOMAIN"
SSPIOmitDomain On
SSPIUsernameCase "upper"
SSPIPerRequestAuth On

Require valid-user

SetHandler python-program
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE name_of_settings_file
PythonDebug On
PythonPath "['PROJECTPARENTPATH'] + ['PROJECTPATH'] + sys.path"
PythonInterpreter somename
</Location>

This works just fine for me in combination with the patch from 689
(though I changed it a little to allow only a superuser to login
explicitly so I can check some things by impersonating different
users).
Don't forget to add the middleware and authentication backend to your
settings file (the one you use on the server).

Hope this helps,

Koen

[ruidc]

Thanks for the quick reply,

I have installed mod_auth_sspi (1.0.4) by copying the module to the
Apache /modules directory and the sspipkgs.exe to the apache /bin
directory and adding LoadModule sspi_auth_module modules/
mod_auth_sspi.so to my https.conf

Next i added the extras to the Location tag, so it now reads as
follows:

<Location "/Django/">

AuthName "MAVERICK"

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On

SSPIDomain "MAVERICK"

SSPIOmitDomain On
SSPIUsernameCase "upper"
SSPIPerRequestAuth On

Require valid-user

SetHandler python-program
PythonHandler django.core.handlers.modpython

SetEnv DJANGO_SETTINGS_MODULE mysite.settings
PythonOption django.root /mysite
PythonDebug On
PythonPath "['E:/Program Files/Apache Software Foundation/
Apache2.2/Django/','E:/Program Files/Apache Software Foundation/
Apache2.2/Django/mysite/'] + sys.path"
</Location>

I then added the two new classed as per ticket #689 to \django\contrib
\auth\backends.py and middleware.py

I then ammended my application settings.py:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.doc.XViewMiddleware',
'django.contrib.auth.middleware.RemoteUserAuthMiddleware', #RDC
added as per ticket #689 and http://groups.google.com/group/django-users/browse_thread/thread/956a3fbb9ee821cd
)

AUTHENTICATION_BACKENDS = ( #RDC added as per ticket #689 and
http://groups.google.com/group/django-users/browse_thread/thread/956a3fbb9ee821cd
'django.contrib.auth.backends.RemoteUserAuthBackend',
)

then i added the following to urls.py for testing:
(r'^Django/mysite/(.*)', 'mysite.item_inventory.views.test'),

and finally, views.py is:

from django.http import HttpResponse

def test(request, blah):
return HttpResponse("Hello, world. You're at the item_inventory
index. --" + str(request) + "--#--" + str(blah) + "--")


I restarted Apache and opened up the only session of IE 7:
- IE7 prompts me for login - as i am on an XP workstation that is not
part of a domain, i log in as MAVERICK\rui with my XP password. Not
sure why it prompts but...
- It successfully takes me to the view without any further login and
the request headers include:
'HTTP_AUTHORIZATION': 'NTLM
'REMOTE_USER': 'RUI'

So looks to be mostly working -:
1. is there anyway to get it to not prompt me for login/pwd as per IIS
webpage request (i have been using Apache and mod_auth_sspi for the
grand total of one day - and Django for only a few days longer so this
could explain my ignorance)?
2. the test method i defined above needed a second parameter, but i
have no idea why and it was blank upon running str(blah), any ideas?
3. running the contrib.admin pages, it still asks me to log-in to
Django, why is this/how can i skip this and use the NTLM?
4. how is windows group membership meant to work at this point? ie.
with the small changes made to backends.py and middleware.py, i cannot
see how/where to test for windows group membership?

Thanks for the help so far, it looks promising that it'll work, i'm
just not sure where/how to investigate the above from here.
Any advice is appreciated.

Best Regards,
Rui

[ruidc]

just a small piece to add - i have item 3 working after setting up the
right permissions for the user in the django permissioning.
still need guidance on the others.

Also, to clarify point 1 - the current behaviour i'm seeing is
essentially the same as a "basic authentication" request, what i'd
like is no prompting and just the windows credentials to be picked up
correctly. Is this possible?

> added as per ticket #689 andhttp://groups.google.com/group/django-users/browse_thread/thread/956a...
> )
>
> AUTHENTICATION_BACKENDS = ( #RDC added as per ticket #689 andhttp://groups.google.com/group/django-users/browse_thread/thread/956a...

[koenb]

> added as per ticket #689 andhttp://groups.google.com/group/django-users/browse_thread/thread/956a...
> )
>
> AUTHENTICATION_BACKENDS = ( #RDC added as per ticket #689 andhttp://groups.google.com/group/django-users/browse_thread/thread/956a...

I am no expert myself, but some thoughts:

1. auth_sspi is supposed to authenticate you to the domain, so if your
machine is not in the domain, you are likely to get prompted. If it is
in the domain, you should not see anything. That part works fine for
me.
2. Your url is capturing one parameter (though you left it unnamed, it
is the (.*) part of your url), so your view needs to accept one.
You are using the django.root option in a rather strang way: if you
put your django app in location '/django/' you would normally make
your django.root '/django'. this way you can ommit the '/django/
mysite' part of your url.
3. This is what I understand to be happening: apache authenticates you
in the domain and if it is ok (require valid-user), invokes django and
passes django the name of the user (via the remote_user variable).
Then django middleware comes into action: if your session already had
a user, the normal authentication MW will use that info. If not, the
remoteuserMW will use the remote_user name to try and authenticate
you. This uses the authentication_backend, which will by default just
check if the user is already known, if not, creates a new user (since
apache already authenticated, this is supposed to be a valid user).
For all the rest, django's auth system is used, so django will use the
groups and permissions as they are known in django. If you want to use
the group membership info from the domain, you will have to look into
using ldap to retrieve that information (I have not done this yet so I
can't help you on that one).

Koen

[ruidc]

Thanks again for your response... and the comprehensiveness of it!

I'll give it a try on a domain at the earliest opportunity - and i'll
investigate the other two areas further in light of your response.

Thanks again,
Rui

> Koen- Hide quoted text -
>
> - Show quoted text -

[Adoleo]

I tried this, and I can confirm that IE doesn't ask for a username and
password if you are on the domain. The RemoteUserAuthMiddleware and
RemoteUserAuthBackend worked perfectly. Does anyone know if this will
be merged into the Django trunk?

As the first post on the blog I'm starting up, I added a howto
describing my experience. If anyone has differences that they've
observed during their experience, or ideas on how to handle this
better, please let me know so that I can keep the howto up to date.

http://www.adoleo.com/blog/2008/09/13/django-apache-mod-auth-sspi/

Thanks!