Single sign on to Django site via remote Active Directory

 

I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.

What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.

I understand that this should be done via REMOTE_USER (https://docs.djangoproject.com/en/dev/howto/auth-remote-user/), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?

In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.

The users are all using Windows machines.

The magic word herefore is kerberos authentication.

Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.

You can then search your LDAP for specific Access Rights or have an own database with special access rights.

Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)

http://wiki.centos.org/HowTos/HttpKerberosAuth

Instead of Kerebos, just use LDAP:

  • enable mod_ldap and mod_authz_ldap
  • ask your network admin to create a service account with access to search Active Directory, and then get the "Distinguished Name" and password to bind the service account

  • add the following lines to your httpd.conf 

    <Location />
  AuthName "Please enter your SSO credentials."
  AuthBasicProvider ldap
  AuthType basic
  AuthLDAPUrl "ldap://my.activedirectory.com:389/OU=Offices,DC=activedirectory,DC=com?sAMAccountName"
  AuthLDAPBindDN "CN=binding_account,OU=Administrators,DC=activedirectory,DC=com"
  AuthLDAPBindPassword <binding password>
  AuthLDAPBindAuthoritative off
  LDAPReferrals off
  Require valid-user
</Location>
  • Follow Django documentation and add RemoteUserMiddleware and RemoteUserBackend to AUTHENTICATION_BACKENDS .

    • Note, after enabling LDAP, authentication will be handled by Apache, and your sign in will look like this:

    Apache LDAP认证对话框

    For a more detailed answer please read this post on my blog

    链接地址: http://www.djcxy.com/p/33762.html

    上一篇: django中的LDAP验证错误

    下一篇: 通过远程Active Directory单点登录到Django站点