Single sign on to Django site via remote Active Di

2020-05-27 09:33发布

问题:

I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.

What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.

I understand that this should be done via REMOTE_USER (https://docs.djangoproject.com/en/dev/howto/auth-remote-user/), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?

In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.

The users are all using Windows machines.

回答1:

The magic word herefore is kerberos authentication.

Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.

You can then search your LDAP for specific Access Rights or have an own database with special access rights.

Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)

http://wiki.centos.org/HowTos/HttpKerberosAuth