通过远程Active Directory单点登录Django站点 [英] Single sign on to Django site via remote Active Directory
问题描述
我为使用Django的客户端开发了Intranet。用户通过Active Directory登录到其计算机。目前,我通过标准Django contrib.auth登录它们,并通过自定义登录后端使用Active Directory。
I developed an Intranet for a client using Django. The users sign on to their computers via Active Directory. Currently, I log them in via standard Django contrib.auth, and use Active Directory via custom login backends.
我想要的是让用户能够使用SSO通过他们现有的Active Directory登录名可以自动登录到Django站点。
What I'd like is for users to be able to use SSO via their existing Active Directory login to be automatically logged into the Django site.
我知道应该通过REMOTE_USER( https://docs.djangoproject.com/en/dev/howto/auth-remote-user/ ),但是文档说: Web服务器在哪里设置REMOTE_USER环境变量。假设Django站点和身份验证服务器位于同一服务器上,不是吗?
I understand that this should be done via REMOTE_USER (https://docs.djangoproject.com/en/dev/howto/auth-remote-user/), but the documentation says: "where the Web server sets the REMOTE_USER environment variable". This assumes that the Django site and the authentication server are on the same server, no?
在我的案例中,Django站点运行在Linux + Apache服务器上,而Active Directory运行在另一台Windows计算机上(实际上,我们使用2个不同的AD服务器来记录用户),因此我不知道如何设置REMOTE_USER env变量。
In my case, the Django site is running on a Linux + Apache server and the Active Directory on another Windows machine (there's actually 2 different AD servers we use to log people in), so I don't know how the REMOTE_USER env variable would be set.
用户都在使用Windows计算机。
The users are all using Windows machines.
推荐答案
之前的魔术词是kerberos身份验证。
The magic word herefore is kerberos authentication.
您的用户不针对django应用程序进行身份验证,而是针对django应用程序进行身份验证您的网络服务器。您的Intranet可能正在运行kerberos服务,该服务会为您验证用户身份,并且仅在REMOTE_USER中为您提供用户名(如果已通过验证)。
Your user does not authenticate against your django application but against your webserver. Your intranet probably has a kerberos service running, that authenticates your user for you and just gives you a user name in REMOTE_USER if he is authenticated.
然后您可以搜索LDAP
You can then search your LDAP for specific Access Rights or have an own database with special access rights.
这里是CentOS的一篇简短文章。您的环境看起来非常重要,因此我所能做的就是告诉您方向;-)
Here is a short article from CentOS. It is very important what your environment looks like, so all I cann do is show you the direction ;-)
http://wiki.centos.org/HowTos/HttpKerberosAuth
这篇关于通过远程Active Directory单点登录Django站点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
