id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 25030 The /admin/login/ should observe external authentication even when it appears in POST Jan Pazdziora nobody "Apache module mod_intercept_form_submit (http://www.adelton.com/apache/mod_intercept_form_submit/) allows PAM authentication to be run by Apache when application's native logon form is submitted. The module attempts the PAM authentication and sets {{{r->user}}} / REMOTE_USER accordingly. The use case is described in more detail at http://www.freeipa.org/page/Web_App_Authentication#Login_form_using_FreeIPA and http://www.freeipa.org/page/Web_App_Authentication/Example_setup#External_identities_for_login_form. However, Django's /admin/login/ implementation has check {{{ if request.method == 'GET' and self.has_permission(request): }}} in its {{{login}}} method. So even if I have Apache configured with {{{ LoadModule authnz_pam_module modules/mod_authnz_pam.so LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so InterceptFormPAMService django-admin InterceptFormLogin username InterceptFormPassword password }}} and in access_log I see the admin user authenticated by the module, since it happened during POST request, /admin/login/ ignores the fact that {{{self.has_permission(request)}}} returns true and prints error message ""Please enter the correct username and password for a staff account. Note that both fields may be case-sensitive."" However, the session based on REMOTE_USER has actually been created so if you just repeat the same request (http://www.example.com/admin/login/?next=/admin/) with GET by hitting Ctrl+L and Enter, you will get to /admin/ without issues." New feature closed contrib.auth dev Normal wontfix Accepted 1 0 0 1 0 0