Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minimal Login Example #15

Open
alanprost opened this issue Jan 23, 2019 · 3 comments
Open

Minimal Login Example #15

alanprost opened this issue Jan 23, 2019 · 3 comments

Comments

@alanprost
Copy link

I'm trying to use the django-auth-kerberos library - thanks a lot for putting it together - for a project requiring kerberos authentication. Would it be possible to add a minimal working example of a Python login class to use with the library (for instance, to use in Django's views.py or forms.py)?

The KrbBackend authentication class does work fine in the Django shell. The kinit command works fine from my OS shell, too. It seems everything should work well. Yet, whenever I try to create a login page to use my actual Django app with kerberos authentication, I am unable to make it work. My guess is that Django falls back (for some reason that I can't figure out) to its own backend, despite the fact that I have arranged my settings.py file as indicated.

My goal is to have the user start on a login page, then check the credentials they enter with Kerberos, and log them to the site if successful. This seems like a typical use case.

I've tried creating a custom class overriding Django's AuthenticationForm, e.g.:

from django_auth_kerberos.backends import KrbBackend
[...]

class CustomLoginForm(AuthenticationForm):
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            self.user_cache = KrbBackend.authenticate(username=username,
                                           password=password)
            if self.user_cache is None:
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
                    code='invalid_login',
                    params={'username': self.username_field.verbose_name},
                )
            else:
                self.confirm_login_allowed(self.user_cache)

        return self.cleaned_data

with the necessary urls set up, but that won't work. The login always returns the invalid_login error message - in fact, the POST request never makes it to KrbBackend. I've also tried a custom login function in views.py, which I don't like per se, but that won't work either, e.g.:

def my_login_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = KrbBackend.authenticate(username=username, password=password)
    if user:
        login(request, user)
        [...]

The Django documentation for external authentication is of little help [https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/] as they propose an entirely different approach based on their RemoteUserBackend.

I get that I'm doing something wrong here, but my sense is that a minimal example would be really helpful for anyone looking to use the library.

@02strich
Copy link
Owner

Could you share your settings and Django version?

From the shared descriptions I am not seeing anything wrong jumping out at me :( What I did not fully understand is whether you see the call go to the KrbBackend or not?

@alfonsrv
Copy link

alfonsrv commented Jun 22, 2024

I too wish there was more information available on how to implement this. Like:

  • How is the KRB5_SERVICE to be configured? Does [hostname] mean the SPN (HTTP/<Django-FQDN>) aka my Django server's FQDN? And why do some issues solutions' here recommend discarding KRB5_SERVICE altogether – how does it work without it?
  • Does the Django server have to be domain joined? Does it need a krb5.conf file, does it need a keytab file?
  • How can I delegate credentials from e.g. a Windows server using requests-kerberos? Is mutual authentication required to see credentials when using Internet Explorer after adding the Django FQDN to "Trusted Zones"?
  • Where is the data if everything works – in the view's request.POST or in request.META['HTTP_AUTHORIZATION']? I thought using requests-kerberos with HTTPKerberosAuth(mutual_authentication=DISABLED, delegate=True) against the endpoint would provide me with some information somewhere in the view's request that could then be redirected to KrbBackend; but they're all blank.
  • Or does this library have to be used below a web-server authenticating the request first and doing the negotiation (e.g. as described here), then passing the "parsed credentials" down to Django?

Fiddled around with it for a couple of hours and read through the Microsoft documentation on how to setup IIS to do Kerberos authentication, but feeling like I'm missing something here and setup is harder than it has to be.

@alfonsrv
Copy link

Oh, this is just a library that handles authentication initiated by the user via a form, entering their username + password via Kerberos instead of the protocol that would be appropriate for this use-case – LDAP. Gotcha.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants