Mapping SSL certificates to django users

[Tomas Kouba]

Hello,

how can I map a DN (or any other part of X509 certificate) to a django user?

I have found a documentation article about django middleware using REMOTE_USER
transferred from apache, but I am not sure if this is the way and if yes how to
- tell apache that a given part of X509 certificate should go to REMOTE_USER
- map REMOTE_USER strings to django users

Thank you for any help,

--
Tomas Kouba

[Tom Evans]

On Mon, Apr 2, 2012 at 2:03 PM, Tomas Kouba <to...@jikos.cz> wrote:
> Hello,
>
> how can I map a DN (or any other part of X509 certificate) to a django user?
>
> I have found a documentation article about django middleware using
> REMOTE_USER
> transferred from apache, but I am not sure if this is the way and if yes how
> to
> - tell apache that a given part of X509 certificate should go to REMOTE_USER

This is covered by Apache's mod_ssl docs:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

> - map REMOTE_USER strings to django users

This you will have to do yourself. It's quite easy, simply extend
django.contrib.auth.backends.RemoteUserBackend, override the
clean_username() method to correctly extract the username from
whatever bit of the certificate you placed in REMOTE_USER, and set
that as one of your AUTHENTICATION_BACKENDS.

Cheers

Tom

[mitja...@gmail.com]

Hi tomaso

Did you maybe found the solution? We have the same issue.

Best regards
Mitja

[Roberto De Ioris]

> Hi tomaso
>
> Did you maybe found the solution? We have the same issue.
>
> Best regards
> Mitja

Both apache and nginx can set the HTTPS_DN/other_names_as_well variable to
the distinguished name of the x509 peer.

Just add

SSLOptions +StdEnvVars

I use it as a decorator to protect some view:

https://github.com/unbit/uwsgi.it/blob/master/uwsgi_it_api/views.py#L19

this works in mod_wsgi and variables/cgi based proxies like FastCGI,SCGI
or uwsgi

--
Roberto De Ioris
http://unbit.it