Basically i'm looking for an alternative of https://github.com/einfallstoll/express-ntlm for Python/Tornado
I could just add node.js as another layer in the application but I'd rather not
A way to get the windows user of the client acessing a url
This will be used in a web app only available on a corporate network
When deploying on IIS with IIS handling Windows authentication, you can retrieve the remote user from the environment variables. This assumes you have Windows authentication enabled and configured.
Then you can simply get the variables out of the environment. As noted in the Microsoft documentation applicable environment variables include REMOTE_USER, AUTH_USER, LOGON_USER, and UNMAPPED_REMOTE_USER. Check the docs for specific usages.
In Python, these can be retrieved with os.environ
Tested this using IIS 7.5 running a simple script and was able to get the username with Python simply by os.environ.get("REMOTE_USER")
If you're using a proxy, the environment variable may be different, such as 'HTTP_X_PROXY_REMOTE_USER'. The server may also need to be configured to pass those environment variables along if that's the case.
express-ntlm is based on an Apache Python project that does the very same: https://github.com/Legrandin/PyAuthenNTLM2/
Related
I have Windows users that access a Django app that runs on a linux server. The question was asked, can that Django app use windows authentication to verify users? Or is it impossible since Django runs on a linux server.
The answer to your question is, "it depends." There are several different kinds of Windows Authentication, and it depends which you are using.
If you're logging into a company domain using Active Directory, then yes, you can use the same authentication for Django. I use a package called django-python3-ldap, which supports Active Directory; you can find it here:
https://github.com/etianen/django-python3-ldap
You'll have to work with your Microsoft Windows domain administrator to get the settings correct for your Active Directory LDAP server. Active Directory is Microsoft's brand name for its flavor of LDAP.
On the other hand, if you're using a local computer account, the answer is no, and if you're using a Microsoft Live account, the answer is... it's complicated!
Good luck.
I have task to create SSO (single sign-on) authorization in Python backend application with the help of Kerberos and Active Directory.
In other words, frontend application make AJAX GET request of the specific URL of the backend application. That backend application must return information about employee in JSON format.
What I have done so far:
1) SPN name for the backend application was created in Active Directory.
2) krb5.keytab file for the backend application was created.
3) Active Directory and Kerberos server located on remote Windows server.
4) Backend application would be in Linux Docker container.
5) I install Kerberos client to Docker container.
6) Kerberos Realm: SERVICE.LOCAL.
7) Hostname for the KDC Server: CS001, CS002, CS003.
Have you ever seen any implementations of the above process in Python? I will be grateful for any help.
You have 2 ways to handle this:
Handle it directly in Python
Handle it in a proxy such as apache or nginx
Pure Python Solution
If you don't have a proxy or just want to handle it in python anyway, I recommend using the python-gssapi library. Here's a code sample. There are other Python bindings but from my reading, this one seems to be the most complete.
Note, if you handle it this way, your python server will probably need to be able to respect the keep-alive header (i.e. re-use the same connection for multiple requests). This isn't strictly part of the SPENGO protocol, but most browsers seem to require that the server implements it.
Proxy Solution
If you're using apache, there's a mod_auth_kerb module you can use which is well documented. There's also a mod_auth_gssapi which provides similar functionality.
For nginx, there's a similar module available.
With any of these proxy solutions, the idea is that the proxy handles Kerberos auth, and sets the REMOTE_USER env variable for your python app. So your python app needs to be able to accept this variable as an authenticated user. Django has middleware specifically for that purpose - I'm not sure about Flask (I mention these 2 frameworks because they're in your question's tags).
I've successfully setup a sample Flask app on Windows / IIS 10.0 using wfastcgi with Python 3.6 running under a Windows domain account.
Now I'm trying to pass the IIS Windows Authentication user information to my Flask app. I've enabled only Windows Authentication in IIS and my browser authenticates successfully.
How do I find out which user is accessing the site in WSGI? I've checked the environment variables and the HTTP headers without luck.
PHP seems to have a fastcgi.impersonate-Option, but there seems to be no pendant for Python.
You mentioned that you've checked the environment variables and the HTTP headers. If you checked the environment variables with os.environ.get['REMOTE-USER'] then you should receive an empty string because your Python instance is running locally on the server and is not remote. And unless you use something like ISAPI rewrite, IIS won't write the REMOTE-USER to the headers either.
The easiest solution is to check the environment variables that IIS explicitly passes to Flask:
from Flask import request
username = request.environ('REMOTE_USER')
I would like to run a public jupyter notebook server. I only want few people able to use it. I see on Jupyter documentation to set the password but did not set the ssl items.
After setting the password:
Everything is as before setting the password, I can do whatever i please like before so can everybody.
I want user able to have own account password to use the notebook web.
Anyone having same view able to help me ?
Unfortunately, Jupyter is not designed to support this out of the box.
One possible solution would be to put your Jupyter instance behind an apache web server:
configure jupyter to listen only on 127.0.0.1. This is the default configuration, but it sounds as if you've already changed this.
configure apache with the appropriate authentication modules (LDAP, local passwords, basic auth, etc).
configure apache's mod_proxy to pass connections from the apache server to jupyter on localhost.
Unfortunately, steps 2 and 3 are beyond the scope of what I can cover here since it depends on your OS, version of apache, and other aspects of your environment. It may be enough for me to point out that this is no different than putting apache in front of another web application server such as Jetty or tomcat, which is documented extensively on other sites on the internet.
https://wiki.eclipse.org/Jetty/Tutorial/Apache
Is it possible to run django without shell access? My hoster supports the following for 5€/month:
python (I assume via mod_python)
mysql
There is no shell nor cronjob support, which costs additional 10€/month, so I'm trying to avoid it.
I know that Google Apps also work without shell access, but I assume that is possible because of their special configuration.
It's possible but not desirable. Having shell access makes it possible to centralise things properly using symlinks.
Get a better host would be my first suggestion. WebFaction is the most recommended shared host for using with Django.
If that's out of your price range, there are plenty of hosts that give you a proper system account (vs just a ftp account) and have mod_python or mod_wsgi (preferred now).
Google Apps works without shell because their system looks for a dispatcher script that you have to write to an exact specification.
It is possible.
Usually you will develop your application locally (where shell access is nice to have) and publish your work to your server. All you need for this is FTP access and some way to import a database dump from your development database (often hosters provide an installation of phpMyAdmin for this).
python (I assume via mod_python)
From my experience, you are most certainly wrong with that assumption. Many low-cost providers claim to support python but in fact provide only an outdated version that can be used with CGI scripts. This setup will have a pretty low performance for Django apps.