I am using my mail server to send mail using Django. When I try to use the send_mail function, I am met with an authentication error. I know that it is not the password, because I can use it to login to my mail account.
How My Mail Server is Setup
I am running Ubuntu 16.0.4 with Nginx and Gunicorn for my Django application. I have installed Roundcube, postfix and dovecot.
How Do I add Users to Roundcube?
For me, the only way I know how to do this is by just adding a new user from the CLI using adduser <user> and from there, logging into Roundcube so that my new user is added to the Roundcube database, and I have an accessible account on Roundcube.
What I Suspect to be The Issue
Since I am creating the users for Roundcube directly from the CLI and they are full Unix users, I can only login to Roundcube using their actual username, and not username#domain.tld. I suspect that Django is trying to authenticate with user#domain.tld rather than user and that is what is causing the issue.
How Can I Fix This?
I am not sure, hence why I am here. I have done my research and cannot find the proper information on making it so that I can login to Roundcube using user#domain.tld instead of just user, but I don't think this will solve my issue.
I have also done research and cannot find an answer on how to create just a mail user, and not a full-blown Unix user. I was thinking this might be my best option. Although, I could be completely wrong.
Related
I am newbie in development and in Django in particular.
I have developed a project that is in testing and I am starting to think about production deployement and in particular the initialization of the database and the creation of the users.
I'm not sure which is the simplest and most effective approach ...
I have search on google but I did not find anything on this subject ...
I'm going to have more than thirty user accounts to create at once, so I wrote a script that I will launch on my prodcution database
in addition to managing password hashing (for the moment, I am using a python shell to use the make_password () function and created a valid password) in this script, I am wondering how to send the login / mdp to automate my users.
I did not see an option 'send identifiers by email' in the Django admin interface yet very complete
so I imagine that I have to create an application or at least a script to manage it?
I made a Flask app using flask-login and flask-sqlalchemy.
When I run my app and login with the same user id in more then 2 devices or different browsers, It fails and renders Internal Server Error.
But I want to make this simultaneous. When somebody log in with the user credentials as the same of somebody current, I don't want anybody to logout or face an error but to share the same user.
How can I make this?
If this is impossible, I want to inform the first-logged-in-user(like "your session was terminated because another user logged in with users" or something). Any hints or examples?
The issue might lie within your custom login code. You can attach your code to the question or try using the code supplied in the documentation:
https://flask-login.readthedocs.io/en/latest/#login-example
I am newbie to Django, but I know how to create a simple application in python-Django how to add new page , how to link it into url file etc.
Now what I am trying to do, I am trying to create a very simple webapp where On the landing page I will have a login link.
When the user clicks on this link it should go to george washington universities authentication window and then I can enter my university's credential and it should authenticate and come back to a page stating ** Login Successful**
I have gone through many tutorials, but all looks very confusing.
I have installed xmlsec1, pysaml2, djangosaml2 modules but even after that I was clueless what to do next. I never felt so much clueless like I am feeling for this authentication module.
It will be great if anyone can guide me with the process.
You didn't say what web server you were using but, on Apache, I'd recommend you use the mod_shib Apache module in conjunction with the Django authentication middleware.
In broad strokes, you are going to let Apache/mod_shib do the SAML heavy lifting and interact with the IdP and you are going to let Django manage users for you. You are going to connect the two by using a piece of Django authentication middleware that authenticates users using the REMOTE_USER environment variable to communicate between Apache and the Django app.
So, first setup Django using Django authentication as described in the Django documentation. Validate that you can create a user using the admin tools and that you can login and establish a session using the Django authentication methods.
Once you have simple, local login working, install the RemoteUser middleware and validate that, by setting the REMOTE_USER environment variable, you can cause your Django app to log a user in (you can do all this testing using the development server locally on your development machine).
Once you have demonstrated that you can log a user in by having the REMOTE_USER environment set, you need to install the Apache shibboleth module, mod_shib and use it to protect the root of your application.
Assuming your application is located at /mysite the config in your virtualhost section would include:
<Location /mysite>
ShibRequestSetting redirectToSSL 443
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
That configuration will tell apache that the /mysite path requires mod_shib to get involved and forces the communication over ssl/tls.
I will not go through all the configuration steps needed to install and configure shibboleth but, basically, you want to set your application default (shibboleth2.xml file) with REMOTE_USER=eppn (if you want to use another attribute like eptid you would specify that); this tells the module which attribute to stuff in the REMOTE_USER environment variable. Again, the shib doc is pretty clear here so I won't go into detail about how to redirect to your university IdP but, basically, you will create an entry in your Sessions section of the form:
<SSO entityID="https://idp.testshib.org/idp/shibboleth">
Where you would substitute your IdP location for the testshib URL shown above.
Note that we are setting REMOTE_USER to the eppn value and that that value will be interpreted by the Django auth middleware as the user's username; you will need to create Django users with usernames that are the same as their eppn for this to work. You can also allow Django to auto-provision new accounts if, for instance, you deem IdP authentication sufficient evidence to create a new user account but, with auto-provisioning, only the minimal bits get setup; you would still need to go into that account and set first name, last name, phone, etc.
The net effect is that, whenever an unauthenticated user tries to visit a location under /mysite, they will be redirected to your university IdP, they will logon there and be redirected back. The mod_shib module (in conjunction with the shibd daemon running in the background) will handle the attribute unpacking and the session state with the IdP and will set the eppn value in the REMOTE _USER environment variable. Assuming that your Django application was setup correctly with apache, it will be invoked and the RemoteUser middleware will use the eppn value set in the REMOTE_USER environment variable to lookup the user with that username in the authentication database. If it finds a user, it will complete the Django login process (i.e. set the user object in the request, set the session state, etc.)
One more thing. To talk to you university IdP and have it release attributes to your application (i.e. eppn), you will need to do three things:
Import their IdP metadata
Export your SP metadata and have your university identity folks import it
Get your university identity team to release eppn to you
Just be aware that those three steps can be a challenge and may take non-trivial time and homework.
One more one more thing: I would recommend verifying the SAML setup separate from your Django app/middleware integration. Using the simplest mechanism you are comfortable with (simple wsgi app, php script, whatever) create a page that will simply dump the REMOTE_USER environment variable when browsed then protect that first. Once you have that page redirecting to your IdP and dumping the correct eppn in REMOTE_USER on return, then you can move on to the Django bits.
I have a Flask app (Python 2.7) running on an IIS server in Windows 10. The server is configured to use Windows Authentication. I am using an HttpPlatformHandler in order to execute the Python code.
I have verified that the authentication is working and am able to see the Kerberos "Negotiate" auth header. However, I cannot find a way to access the username of the user who requested the page.
I have tried printing the entire request header and request environment and it is not there. This post seems to be about my issue but the code in it is not correct. What can I do to pass the Windows username of the requester to my python code?
I would like to access the username of the user in order to both restrict page access by user and remove certain elements from pages based on user.
It turns out that the answer on this post works for my configuration as well. I simply downloaded ISAPI_Rewrite 3, copy and pasted the text into httpd.conf, and was able to access the name of the user by calling request.headers.get('X-Remote-User') in my Python code.
I suggest using os library
import os
username = os.getlogin()
If the user is logged in, you can use flask_login.current_user.name to get the info.
My Django app, deployed in mod_wsgi under Apache using Django's standard WSGIHandler, authenticates users via form login on the Django side. So to Apache, the user is anonymous. This makes the Apache access log less useful.
Is there a way to pass the username back through the WSGI wrapper to Apache after handling the request, so that it appears in the Apache access log?
(Versions: Django 1.1.1, mod_wsgi 2.5, Apache 2.2.9)
You can only do it if using embedded mode and only if you use a separate package called apswigpy, which provides a Python binding for original Apache request object. The mod_wsgi package provides an optional mechanism for allowing original Apache request object to be passed as Python CObject reference in WSGI environment. You use that in conjunction with apswigpy something like:
from apache.httpd import request_rec
r = request_rec(environ['apache.request_rec'])
r.user = user
At least I think that will setup the appropriate information which access logging can then use.
You should really take this discussion over to the mod_wsgi mailing list.
You could use mod_auth_tkt. An auth_tkt is a signed cookie with the user id that Apache can understand. Your web application would have to set the cookie when the user logs in and out. Apache can derive a REMOTE_USER from the cookie, pass it to your web app or a non-Django web application running on the same server, include it in logs, whatever.
This probably isn't what you're expecting, but you could use the username in your URL scheme. That way the user will be in the path section of your apache logs.
You'd need to modify your authentication so that auth-required responses are obvious in the apache logs, otherwise when viewing the logs you may attribute unauthenticated requests to authenticated users. E.g. return a temporary redirect to the login page if the request isn't authenticated.
Correct me if I'm wrong, but what's stopping you from creating some custom middleware that sets a cookie equal to the display name of the current user logged in. This middleware will run on every view, so even though technically the user could spoof his username to display whatever he wants it to display, it'll just be reset anyway and it's not like its a security risk because the username itself is just for log purposes, not at all related to the actual user logged in. This seems like a simple enough solution, and then Apache log can access cookies so that gives you easiest access. I know some people wouldn't like the idea of a given user spoofing his own username, but i think this is the most trivial solution that gets the job done. Especially, in my case, when it's an iPhone app and the user doesn't have any direct access to a javascript console or the cookies itself.
for latest (Django 2.x, Apache 2.4) Tested
source https://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration
you need to add WSGIPassAuthorization on in either server config, virtual host, directory or .htaccess