Index: django/contrib/auth/backends.py =================================================================== --- django/contrib/auth/backends.py (revision 6299) +++ django/contrib/auth/backends.py (working copy) @@ -19,3 +19,42 @@ return User.objects.get(pk=user_id) except User.DoesNotExist: return None + +class RemoteUserAuthBackend(ModelBackend): + def authenticate(self, username, password=None): + """ + Authenticate user - RemoteUserAuth middleware passes REMOTE_USER + as username. password param is not used, just added in case :) + """ + user = None + if username: + try: + user = User.objects.get(username=username) + except User.DoesNotExist: + # Auto-create user + if settings.REMOTE_USER_AUTH_AUTO_CREATE: + # We'll create a password, but it won't be used + password = User.objects.make_random_password() + user = User.objects.create_user(username, '', password) + user.is_staff = False + user.save() + # Check if there is an after_create function set in settings + # it is a string like 'path.to.module.function' + try: + path = settings.REMOTE_USER_AUTH_AFTER_CREATE + except: + # No custom after_create function + return user + i = path.rfind('.') + module, attr = path[:i], path[i+1:] + try: + module = __import__(module, {}, {}, [attr]) + except ImportError: + raise ImproperlyConfigured, 'Error importing function %s' % path + try: + func = getattr(module, attr) + # this function is called with the new User object + func(user) + except: + raise ImproperlyConfigured, 'Error executing function %s' % path + return user Index: django/contrib/auth/middleware.py =================================================================== --- django/contrib/auth/middleware.py (revision 6299) +++ django/contrib/auth/middleware.py (working copy) @@ -10,3 +10,20 @@ assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." request.__class__.user = LazyUser() return None + +class RemoteUserAuthMiddleware(object): + def process_request(self, request): + from django.contrib.auth import authenticate, login + # AuthenticationMiddleware is required to create request.user + error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES +setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class.""" + assert hasattr(request, 'user'), error + if request.user.is_anonymous(): + try: + user = authenticate(username=request.META['REMOTE_USER']) + except: + user = None + if user is not None: + request.user = user # set request.user to the authenticated user + login(request, user) # auto-login the user to Django + return None \ No newline at end of file Index: docs/auth_remote_user.txt =================================================================== --- docs/auth_remote_user.txt (revision 0) +++ docs/auth_remote_user.txt (revision 0) @@ -0,0 +1,71 @@ +============================= +Authenticating against REMOTE_USER from Apache +============================= + +Typically on an intranet, users are already authenticated (e.g. in a Windows domain). +It is possible to let Apache use NTLM to verify that a user is authenticated, and only +allow valid users to enter your website. Apache will set a REMOTE_USER variable containing +the user's username. This can be used to inform django which user is accessing the site. +If the user is not yet in django's userbase, she can be added automatically. + +Configuring Apache +============== + +You will need a module that can authenticate using NTLM. +Examples are mod_NTLM or mod_auth_sspi. +Configure Apache to use these to authenticate the user. +An example configuration using mod_auth_sspi looks like this: + +# Add the module: + +LoadModule sspi_auth_module modules/mod_auth_sspi.so + +# Configure the authentication: + + + AuthName "myIntranet" + AuthType SSPI + SSPIAuth On + SSPIAuthoritative On + SSPIDomain "myDomain" + SSPIOmitDomain On + SSPIUsernameCase "upper" + + Require valid-user + + SetHandler python-program + PythonHandler django.core.handlers.modpython + SetEnv DJANGO_SETTINGS_MODULE your_settings + PythonPath "['d:\\\\websites'] + ['d:\\\\websites\\\\myproject'] + sys.path" + + +Configuring django +============= + +In your settings file, add the RemoteUserAuthMiddleware and the RemoteUserAuthBackend like this: + +Add the middleware AFTER the AuthenticationMiddleware: + + 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.auth.middleware.RemoteUserAuthMiddleware', + +Add the RemoteUserAuthBackend as authentication backend: + AUTHENTICATION_BACKENDS = ( + 'django.contrib.auth.RemoteUserAuthBackend', + ) + +Set the REMOTE_USER_AUTH_AUTO_CREATE setting if you want to automatically add and authenticate +users that are unknown to django (but are already authenticated by Apache) : + + REMOTE_USER_AUTH_AUTO_CREATE = True + +You can also pass in a custom function to be executed AFTER a new user was added to the django database: + + REMOTE_USER_AUTH_AFTER_CREATE = 'path.to.module.function' + +This function will be called with one parameter: the newly created User object. +You could use this function to set detailed info or permissions on the users (e.g. from an LDAP source). + + + +