Brandon Konkle
Brandon Konkle

Principal Engineer, type system nerd, Rust enthusiast, supporter of social justice, loving husband & father, avid comic & manga reader, 日本語を勉強してる。

I’m a Software Architect with more than 15 years of experience creating high performance server and front-end applications targeting web and mobile platforms, & today I lead a team at Formidable Labs.

Share


Tags


Django with Apache and mod_auth_sspi

I recently finished up a project for a company intranet using Windows. Though Windows is not my favorite environment, Django works flawlessly there so it usually doesn't present many problems. One of the features needed for the site was automatic authentication through integrated Windows security. To achieve this, I used an Apache module called modauthsspi to authenticate the user, and then modified Django to accept the server-supplied authentication. I had some difficulty finding clear instructions on how to do this, so I decided to make this the first post on the Adoleo Blog so that I can share this detailed howto with others in my situation.

Getting started

First, start with a working installation of Apache + Django on Windows. I'm using modpython, but I believe this tutorial should also work for modwsgi. If you need assistance setting Django up in a Windows environment, I found this link to be very helpful.

In my situation, I was already using the built-in django.contrib.auth, so I already had a superuser defined. This is not necessary, but I found it made things easy for me when I needed to set the auto-created User object up as a superuser later.

Installing modauthsspi

Download modauthsspi from SourceForge using this link.

Extract it, and then open the /modauthsspi-1.0.4/bin folder.

Copy modauthsspi.so to your Apache modules directory. Mine was at C:/Program Files/Apache Software Foundation/Apache2.2/modules.

Copy sspipkgs.exe to your Apache bin directory. Mine was C:/Program Files/Apache Software Foundation/Apache2.2/bin.

Configuring Apache

To configure Apache to use the module you just installed, you need to modify your httpd.conf. Add the following lines underneath the other LoadModule statements in the file:

<IfModule !mod_auth_sspi.c>
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>

Then, add the following lines to the Location setting for your Django project:

AuthName "YOURDOMAIN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain "YOURDOMAIN"
SSPIOmitDomain On
SSPIUsernameCase "upper"
SSPIPerRequestAuth On

Require valid-user

Change AuthName and SSPIDomain to your domain name. You can use “upper” or “lower” in SSPIUsernameCase, depending on your preference. For reference, my location setting looked similar to this:

<Location "/">
    AuthName "YOURDOMAIN"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain "YOURDOMAIN"
    SSPIOmitDomain On
    SSPIUsernameCase "upper"
    SSPIPerRequestAuth On

    Require valid-user 

    SetHandler python-program
    PythonPath "['C:/django-projects','C:/django-plugins'] + sys.path"
    PythonHandler django.core.handlers.modpython
    SetEnv DJANGO_SETTINGS_MODULE myproject.settings
    PythonDebug On
</Location>

Customizing the Django authentication backend and middleware

Next, Apply the most recent patch from ticket #689. You can get an up-to-date patch from this link.

After that open up your settings.py and add django.contrib.auth.middleware.RemoteUserAuthMiddleware to your MIDDLEWARECLASSES setting. Create a new AUTHENTICATIONBACKENDS setting to replace the default, and populate it with django.contrib.auth.backends.RemoteUserAuthBackend. After doing this, the authentication and middleware sections of my settings.py file looked like this:

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.doc.XViewMiddleware',
    'django.contrib.redirects.middleware.RedirectFallbackMiddleware',
    'django.contrib.auth.middleware.RemoteUserAuthMiddleware',
)

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.RemoteUserAuthBackend',
)

Creating a superuser

At this point, the work is mostly done! Restart Apache, and fire up your browser. If you’re using IE and you are on the domain indicated in your httpd.conf, then it normally won't even prompt for the username and password.

The new backend and middleware will create a new user your Windows username. This user will not yet be able to log into the Admin console, however. To correct this, go back into your settings.py and comment out the RemoteUserAuthMiddleware line and the entire AUTHENTICATION_BACKENDS section.

Restart Apache, and log in with your previously established superuser. Fire up the admin interface and edit your newly created Windows-based user to add superuser privelages. Then, go back to settings.py, uncomment, restart Apache, and you should be all set. I deleted my old superuser and I'm using the Windows user from now on.

Hopefully this has helped you get up and running a lot faster than I did. Let me know in the comments if I've botched any part of this howto, and I'll be glad to update it.

Thanks!

I’m a Software Architect with more than 15 years of experience creating high performance server and front-end applications targeting web and mobile platforms, & today I lead a team at Formidable Labs.

View Comments