I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.
What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.
I understand that this should be done via REMOTE_USER (https://docs.djangoproject.com/en/dev/howto/auth-remote-user/), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?
In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.
The users are all using Windows machines.
The magic word herefore is kerberos authentication.
Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.
You can then search your LDAP for specific Access Rights or have an own database with special access rights.
Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)
http://wiki.centos.org/HowTos/HttpKerberosAuth
Related
I have Windows users that access a Django app that runs on a linux server. The question was asked, can that Django app use windows authentication to verify users? Or is it impossible since Django runs on a linux server.
The answer to your question is, "it depends." There are several different kinds of Windows Authentication, and it depends which you are using.
If you're logging into a company domain using Active Directory, then yes, you can use the same authentication for Django. I use a package called django-python3-ldap, which supports Active Directory; you can find it here:
https://github.com/etianen/django-python3-ldap
You'll have to work with your Microsoft Windows domain administrator to get the settings correct for your Active Directory LDAP server. Active Directory is Microsoft's brand name for its flavor of LDAP.
On the other hand, if you're using a local computer account, the answer is no, and if you're using a Microsoft Live account, the answer is... it's complicated!
Good luck.
I've successfully setup a sample Flask app on Windows / IIS 10.0 using wfastcgi with Python 3.6 running under a Windows domain account.
Now I'm trying to pass the IIS Windows Authentication user information to my Flask app. I've enabled only Windows Authentication in IIS and my browser authenticates successfully.
How do I find out which user is accessing the site in WSGI? I've checked the environment variables and the HTTP headers without luck.
PHP seems to have a fastcgi.impersonate-Option, but there seems to be no pendant for Python.
You mentioned that you've checked the environment variables and the HTTP headers. If you checked the environment variables with os.environ.get['REMOTE-USER'] then you should receive an empty string because your Python instance is running locally on the server and is not remote. And unless you use something like ISAPI rewrite, IIS won't write the REMOTE-USER to the headers either.
The easiest solution is to check the environment variables that IIS explicitly passes to Flask:
from Flask import request
username = request.environ('REMOTE_USER')
Basically i'm looking for an alternative of https://github.com/einfallstoll/express-ntlm for Python/Tornado
I could just add node.js as another layer in the application but I'd rather not
A way to get the windows user of the client acessing a url
This will be used in a web app only available on a corporate network
When deploying on IIS with IIS handling Windows authentication, you can retrieve the remote user from the environment variables. This assumes you have Windows authentication enabled and configured.
Then you can simply get the variables out of the environment. As noted in the Microsoft documentation applicable environment variables include REMOTE_USER, AUTH_USER, LOGON_USER, and UNMAPPED_REMOTE_USER. Check the docs for specific usages.
In Python, these can be retrieved with os.environ
Tested this using IIS 7.5 running a simple script and was able to get the username with Python simply by os.environ.get("REMOTE_USER")
If you're using a proxy, the environment variable may be different, such as 'HTTP_X_PROXY_REMOTE_USER'. The server may also need to be configured to pass those environment variables along if that's the case.
express-ntlm is based on an Apache Python project that does the very same: https://github.com/Legrandin/PyAuthenNTLM2/
I'm creating a small application that queries Active Directory for computer names. Currently I am using the ldap3 module since it seems to one of the few supporting Python3, but I am open to alternatives.
Is there any way to use the currently logged on users credentials to authenticate to the LDAP server?
This way a user can run the program and get the computer names if they're logged in as a domain user, without having to enter their username/password each time.
More info about my environment:
Windows Domain
Python 3.4
Modules: ldap3, pywin32, pyqt4
I have a very basic CGI based front end hosted on an IIS server.
I'm trying to find the users within my shop that have accessed this site.
All users on the network sign on with their LAN (Windows) credentials and the same session would be used to access the site.
The python getpass module (obviously) returns only the server name so is there a way to find the user names of the visitors to the site?
The stack is Python 2.7 on IIS 8.0, Windows Server 2012
When using Windows authentication on IIS, the server variables should contain the username in two variables: AUTH_USER and REMOTE_USER
CGI offers access to all server variables, check your Python docs on how to access them.