Authentication¶

There are many, many ways to authenticate users, and many, many Django packages that define authentication methods.

Password authentication¶

As you know, Django offers a model for users (django.contrib.auth.models.User). Of course, you can use it, but you must define views for creating new accounts, logging in and logging out. DjangoFloor comes with the required views (and templates looking like the admin site) for using it. DjangoFloor can also handle basic HTTP authentication (useful for API).

You can also add the package django-allauth. Again, DjangoFloor comes with the required templates (using the admin site css). HTTP basic authentication is disabled by default, but you can easily activate it:

Or you can only activate it when you deploy your app:

/etc/yourproject/settings.ini¶

[auth]
allow_basic_auth = true

By default, password authentication only uses the Django user database, but you can disable it (for example if you only use a LDAP authentication):

yourproject/defaults.py¶

DF_ALLOW_LOCAL_USERS = False

Or in the .ini file:

/etc/yourproject/settings.ini¶

[auth]
local_users = false

You can allow anonymous users to create their own account:

/etc/yourproject/settings.ini¶

[auth]
create_users = true

yourproject/defaults.py¶

DF_ALLOW_USER_CREATION = True

Reverse-proxy authentication¶

You reverse proxy (Apache or Nginx) can authenticate users for you and put then user name in a HTTP header (often REMOTE_USER). Since the header is set by the reverse proxy and not by the Python server itself, this HTTP header is renamed to HTTP_REMOTE_USER. These reverse proxies can handle any authentication methods, like Kerberos, GSSAPI, LDAP, Shibbolet, and so on. The djangofloor.middleware.DjangoFloorMiddleware middleware uses this HTTP header to authenticate users. The user is automatically created on its first connection (you can even automatically add him to several groups) if create_user is true. This method allows GSSAPI/Kerberos authentication. You can also configure the LDAP authentication if you want to retrieve user attributes (or its groups) from the LDAP server.

/etc/yourproject/settings.ini¶

[auth]
remote_user_header = HTTP-REMOTE-USER
remote_user_groups = Users,New Users
create_users = true

OAuth2 authentication¶

The package django-allauth perfectly handles OAuth2 authentication from many providers. Please check its own documentation. Of course, it must be installed separately (it is not a dependency of Djangofloor).

The following things are transparently modified:

INSTALLED_APPS will contain the list of all required Django apps,

allauth.urls is inserted in root urls,

allauth.account.auth_backends.AuthenticationBackend is added to authentication backends.

However, you still have to write HTML templates, as described in this documentation. You can add a new provider or display configured providers with the following commands:

yourproject-ctl social_authentications show
yourproject-ctl social_authentications add

You need to run the migrate command again to finalize the creation. The first command also displays the used configuration file. If you reinstall your server, just backup this file to avoid this manual process.

PAM authentication¶

You can authenticate your user against the local PAM database, just set in the config files and install “django-pam”:

/etc/yourproject/settings.ini¶

[auth]
pam = true

Radius authentication¶

You can also authenticate users by testing their password against a Radius server, if you have installed the “django-radius” package:

/etc/yourproject/settings.ini¶

[auth]
radius_server = 8.8.8.1
radius_port = 1812
radius_secret = secret

LDAP authentication¶

Everything is ready to transparently use django-auth-ldap to enable LDAP authentication. There are two modes for LDAP authentication:

a LDAP search is performed (to search the user and its groups) with a specific account, then a binding is performed to check the password,

a direct bind is performed with the user login/password and the user account is used to search its data.

Here is an example of configuration for the first method:

/etc/yourproject/settings.ini¶

[auth]
ldap_server_url = ldap://ldap.example.com
ldap_start_tls = false
ldap_user_search_base = ou=users,dc=example,dc=com
ldap_bind_dn = cn=admin,ou=users,dc=example,dc=com
ldap_bind_password = secret
ldap_filter = (uid=%%(user)s)

and for the second method:

/etc/yourproject/settings.ini¶

[auth]
ldap_server_url = ldap://ldap.example.com
ldap_start_tls = false
ldap_direct_bind = uid=%%(user)s,ou=users,dc=example,dc=com

You can also use some advanced features, for example for retrieving some user attributes from the LDAP, or for copying its groups:

/etc/yourproject/settings.ini¶

[auth]
ldap_first_name_attribute = givenName
ldap_email_attribute = email
ldap_last_name_attribute = sn
ldap_is_active_group = cn=active,ou=groups,dc=example,dc=com
ldap_is_staff_group = cn=staff,ou=groups,dc=example,dc=com
ldap_is_superuser_group = cn=admin,ou=groups,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com
ldap_group_type = posix
ldap_mirror_groups = true