I have Windows users that access a Django app that runs on a linux server. The question was asked, can that Django app use windows authentication to verify users? Or is it impossible since Django runs on a linux server.
The answer to your question is, "it depends." There are several different kinds of Windows Authentication, and it depends which you are using.
If you're logging into a company domain using Active Directory, then yes, you can use the same authentication for Django. I use a package called django-python3-ldap, which supports Active Directory; you can find it here:
https://github.com/etianen/django-python3-ldap
You'll have to work with your Microsoft Windows domain administrator to get the settings correct for your Active Directory LDAP server. Active Directory is Microsoft's brand name for its flavor of LDAP.
On the other hand, if you're using a local computer account, the answer is no, and if you're using a Microsoft Live account, the answer is... it's complicated!
Good luck.
Related
A website has been developed on a local ubuntu machine using python flask. The website runs fine on ubuntu at 127.0.0.1:5000. This website is supposed to go live on a godaddy server for which there is cpanel access. How to do it?
If it's a shared hosting solution, Answer to your question is NO, you can't do it. In a shared hosting environment Godaddy using only a PHP Stack. so you won't be able to use python there. Either go with VPS and configure your server. or go with a cloud service provider like Digital ocean, AWS, Linode etc.,
If your CPanel has the "Setup Python App" option (it's CloudLinux-based), you can try to deploy there.
I had a problem where only the root URL would work and all other routes returned 404.
Add the following to the top of your .htaccess file:
RewriteEngine on
RewriteRule ^http://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
Got this info from: https://stackoverflow.com/a/63971427/10122266
Apologies that I couldn't add this as a comment as I do not have sufficient rights yet. But this solution worked for me and it would be a pitty if this little gem is hidden from those who may arrive here.
So would appreciate if this post is not deleted.
My reading of Cognito is that it can be used in place of a local Django admin database to authenticate users of a website. However I am not finding any soup-to-nuts examples of a basic "Hello, World" app with a login screen that goes through Cognito. I would very much appreciate it if someone could post an article that shows, step-by-step, how to create a Hello World Django app and a Cognito user pool, and then how to replace the default authentication in Django with a call to AWS Cognito.
In particular I need to know how to gather the information from the Cognito admin site that is needed to set up a call to Cognito API to authenticate a user.
There are two cases to consider: App user login to App, and Admin login to django Admin URL of site. I assume that I would want to use Cognito for both cases, otherwise I am leaving a potential hole where the Admin URL is using a weaker login technology.
Current answers on AWS forums and StackExchange either say:
(1) It is a waste of time to use Cognito for authenticating a website, it is only for access to AWS resources
(2) It is not a waste of time. I am about to give up. I have gone as far as creating a sample Cognito user pool and user groups, and of scouring the web for proper examples of this use case. (None found, or I wouldn't be writing.)
(3) https://github.com/capless/warrant, https://github.com/metametricsinc/django-warrant are two possible solution from the aws forums.
If you are reading this, you probably googled "aws cognito django" xD.
I just want to share what I did in order to get this thing to work:
Django-Warrant. Great aws cognito wrapper package.
Make sure to understand your current User model structure. If you use custom user model, don't forget to map it using COGNITO_ATTR_MAPPING setting.
Change your authentication to support 3rd party connectivity. When you get from the client some Cognito token, convert it into your own token using oAuth/JWT/Session.
Rethink your login/register process. Do you want different registration? The django-warrant package supports it...
At the end of the day, this is a GREAT solution for fast authentication.
To add to the accepted answer, there is a simple but very important extra step that I found was necessary to take to use django-warrant with Django 2.0:
The conditional in backend.py in the root package needs to be changed from:
if DJANGO_VERSION[1] > 10
to:
if DJANGO_VERSION[1] > 10 or DJANGO_VERSION[0] > 1:
Using django-warrant with Zappa and AWS Lambda:
The project I am working on also uses Zappa to enable the serverless deployment of my Django app to AWS Lambda. Although the above code fixed django-warrant for me when testing locally, after deploying the app to the Lambda environment, I had another significant issue stemming from some of django-warrant's supporting packages - primarily related to python-jose-pycryptodome, which django-warrant uses during the authentication process. The issue showed itself in the form of a FileNotFound error related to the Crypto._SHA256 file. This error appears to have been caused because pycryptodome expects different files to be available in the Crypto package at runtime on Windows (which I am developing on) and Linux (the Lambda environment) respectively. I ended up solving this issue by downloading the Linux version of pycryptodome and merging its Crypto package with the Crypto package from the Windows version.
TLDR: If you want to use django-warrant with AWS Lambda and you are developing on a Windows machine, make sure to download the Linux version of pycryptodome and merge its Crypto package with the same from the Windows version.
Note: The versions of pycryptodome and python-jose (not python-jose-cryptodome) that I ended up using to achieve the above were 3.7.2 and 3.0.1 respectively.
Basically i'm looking for an alternative of https://github.com/einfallstoll/express-ntlm for Python/Tornado
I could just add node.js as another layer in the application but I'd rather not
A way to get the windows user of the client acessing a url
This will be used in a web app only available on a corporate network
When deploying on IIS with IIS handling Windows authentication, you can retrieve the remote user from the environment variables. This assumes you have Windows authentication enabled and configured.
Then you can simply get the variables out of the environment. As noted in the Microsoft documentation applicable environment variables include REMOTE_USER, AUTH_USER, LOGON_USER, and UNMAPPED_REMOTE_USER. Check the docs for specific usages.
In Python, these can be retrieved with os.environ
Tested this using IIS 7.5 running a simple script and was able to get the username with Python simply by os.environ.get("REMOTE_USER")
If you're using a proxy, the environment variable may be different, such as 'HTTP_X_PROXY_REMOTE_USER'. The server may also need to be configured to pass those environment variables along if that's the case.
express-ntlm is based on an Apache Python project that does the very same: https://github.com/Legrandin/PyAuthenNTLM2/
I'm creating a small application that queries Active Directory for computer names. Currently I am using the ldap3 module since it seems to one of the few supporting Python3, but I am open to alternatives.
Is there any way to use the currently logged on users credentials to authenticate to the LDAP server?
This way a user can run the program and get the computer names if they're logged in as a domain user, without having to enter their username/password each time.
More info about my environment:
Windows Domain
Python 3.4
Modules: ldap3, pywin32, pyqt4
I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.
What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.
I understand that this should be done via REMOTE_USER (https://docs.djangoproject.com/en/dev/howto/auth-remote-user/), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?
In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.
The users are all using Windows machines.
The magic word herefore is kerberos authentication.
Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.
You can then search your LDAP for specific Access Rights or have an own database with special access rights.
Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)
http://wiki.centos.org/HowTos/HttpKerberosAuth