Impossible? Django with NTLM SSO auth on windows?

[Anton]

Hi,

I am using my django in the following way:

OS: Windows 7 (64 bit)

+ Python 2.7.3 (32bit)

+ apache 2.4.3 (32 bit) from apachelounge
(I use the version which was build with vs2008 like python 2.7.3)
http://www.apachelounge.com/download/win32/binaries/httpd-2.4.3-win32-
VC9.zip

+ django 1.4.5

+ mod_wsgi 3.4 (32 bit) from http://code.google.com/p/modwsgi/
(compiled manually with vs2008 since no binaries available)

I would like to use the typical Windows intranet scenario
where you have a single-sign-on with the internet explorer.

At least in our company the ASP .NET powered intranet sites
work fine with this.

I googled around, as if I understood right, this auth system
is called NTLM and if you want to use it, you need
the apache module "mod-auth-sspi".

If I look at the project page
http://sourceforge.net/projects/mod-auth-sspi/?source=dlp
I see only stuff dated from 2011 and only for *apache 2.2*.

And if I read this article on apachelounge:

http://www.apachelounge.com/viewtopic.php?t=4548

then there will be *never* a support for Apache 2.4.

In the Django docs:
"Authentication using REMOTE_USER"
https://docs.djangoproject.com/en/1.4/howto/auth-remote-user/

you get links to mod_auth_sspi but its has be forgotten to mention
that this module (seems) now obsolete.

So the question is:

Is it possible to obtain SSO with Django on a Windows powered machine,
or do I have to give up and try my luck with ASP.NET or perhaps php for
windows or whatever.

I love Django & python, but I am here in a dead end.

Is there somebody using this scenarion (which is quit common in big
companies)?

Thanks.
Anton

[Branko Majic]

Hm... Did you maybe think about using Kerberos part of the AD for
authentication instead?

Best regards

--
Branko Majic
Jabber: bra...@majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: bra...@majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.

[Anton]

@Branko,

no...I didn't think about Kerberos, I only realised
in the last day that Ad use this system which I don't know either)

Do you know some tutorial/howto describing this SSO

with Django/apache on windows?

Or I am the only one on this planet with this ides?

Thanks

Anton

[Avraham Serour]

Hi,

Does anyone think using ntlm instead of/on top of oauth/social logins.

Ideally this could be given as another choice of login/authentication on top of oauth options, this would be a solution to the user not having to remember yet another password. does linux have anything like that?

would this be practical, has anyone thought of this?

avraham

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Andre Terra]

FYI, I found a nginx module for Kerberos authentication too:

https://github.com/fintler/nginx-mod-auth-kerb

http://michaelshadle.com/2010/01/17/spnego-for-nginx-a-start-at-least

It hasn't been updated in quite some time, but it is apparenlty working and perhaps one of you will feel like taking a swing at it.

Cheers,

AT

[Branko Majic]

I've set-up a Kerberised environment some time ago, but I can't recall
what docs I've been reading back then, so no recommendations there. I
would recommend reading a little about it on Wikipedia (for start) to
get the high-level overview.

The environment I've set-up had relied upon MIT Kerberos
implementation (and to top it off I also used PKINIT), although I was
able to have the Windows 7 clients authenticate against it. So no idea
what happens if using AD.

You're probably not the only person on the planet, but it's probably
avoided solution due to some issues you can get. A small advice -
_always_ first verify that the time on your machines is good. 90% of
problems I had were related to clock differences between server,
Kerberos servers, and user workstations.

Best regards

[Anton]

Hmmm

the bad support (as you mention "it hasn't been updated in quite some time")
seems to be a major problem in this domain.

I just looked at (for apache)
http://mod-auth-sspi.sourceforge.net/docu/mod_ntlm/

Here they say mod_ntlm is obsolete and
" mod_auth_sspi is the version of mod_ntlm for Apache-2.0"

but on the other side mod_auth_sspi seems to be dead too,
so actually I am still not sure if its possible,
if you don't want to use pure Microsoft technologies
(like asp.net IIS server & other tools from ms)

I am looking ......

Bye

anton

[Tom Evans]

On Tue, Mar 5, 2013 at 9:45 PM, Anton <ant...@gmx.de> wrote:
> Hmmm
>
> the bad support (as you mention "it hasn't been updated in quite some time")
> seems to be a major problem in this domain.

The NTLM/SSPI protocols haven't changed in a long time. Why should the
projects that support this tech need 'activity' on something that
works?

>
> I just looked at (for apache)
> http://mod-auth-sspi.sourceforge.net/docu/mod_ntlm/
>
> Here they say mod_ntlm is obsolete and
> " mod_auth_sspi is the version of mod_ntlm for Apache-2.0"
>
> but on the other side mod_auth_sspi seems to be dead too,

Indeed. There is more to life as an apache module than authentication,
in Apache 2.2 there is optionally authorization, and in 2.4 there is
no 'optional' about it. So mod_auth_sspi will never exist for Apache
2.4. Instead, there is (alpha) mod_authnz_sspi

https://www.apachehaus.net/modules/mod_authnz_sspi/

which seems to be supplied as a binary module, with no source code...

> so actually I am still not sure if its possible,
> if you don't want to use pure Microsoft technologies
> (like asp.net IIS server & other tools from ms)
>
> I am looking ......
>

The software you want is not compatible with your choice of web
server. The way I see it, you have four choices:

1) Use Apache 2.2 and mod_auth_sspi
2) Use Apache 2.4, port mod_auth_sspi to Apache 2.4
3) Use Apache 2.4, use binary mod_authnz_sspi, live with the security issues
4) Continue looking!

Cheers

Tom

[Yves Rausch]

Hello guys,

we had a similar issue and created a new module on apache 2.4 where you can use ntlm authentication on a windows machine.
Here is the binary download and some information (including a link to github repository): http://www.informer.de/produkte/apache-sspi-ntlm/
Hope this helps.

[Andre Terra]

On Sun, Jul 7, 2013 at 5:01 PM, Yves Rausch <yves....@gmail.com> wrote:

Hello guys,

we had a similar issue and created a new module on apache 2.4 where you can use ntlm authentication on a windows machine.
Here is the binary download and some information (including a link to github repository): http://www.informer.de/produkte/apache-sspi-ntlm/
Hope this helps.

Excellent news! Congratulations on the achievement and thank you so much for sharing this with us!

Best wishes,

AT