CODEWITHSUNDEEP
djangoapache
AlexandruC
AlexandruC

Reputation: 3637

SLL authenticate from apache in Django

I want to authenticate a user using information from x509 certificate... Apache seems to authenticate ok, but I get no REMOTE_USER content in Django. Don t know why.

apache config:

NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile    /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        SSLVerifyClient require
        SSLVerifyDepth 10
        SSLCACertificateFile /etc/apache2/ssl/ca.cer


        SSLOptions +StdEnvVars +ExportCertData

        <Directory />
                        Options FollowSymLinks
                        AllowOverride None
                        SSLOptions +StdEnvVars


        </Directory>
        <Directory /var/www/>
                        Options Indexes FollowSymLinks MultiViews
                        AllowOverride None
                        Order allow,deny
                        allow from all
        </Directory>
        WSGIDaemonProcess rmc_wsgi processes=2 threads=15 display-name=%{GROUP}
        WSGIScriptAlias /rmc /home/xxx/projects/rmc/rmc/wsgi.py
        <Location /rmc>
                WSGIProcessGroup rmc_wsgi
        </Location>


</VirtualHost>

Middleware:

class CorrectRemoteUserMiddleware(RemoteUserMiddleware):
    header = "HTTP_REMOTE_USER"

backend

class RemoteUserBackendNoCreate(RemoteUserBackend):
    create_unknown_user = True

    def authenticate(self, remote_user):
        user = super(self.__class__, self).authenticate(remote_user)
        print >> sys.stderr, ("AuthBackend: REMOTE_USER=" + remote_user + "AuthBackend: User=" + user)
        print >> sys.stderr, 'in authenticate'
        return user

settings.py:

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'webrecif.middleware.CorrectRemoteUserMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',

)

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.RemoteUserBackend',
    'webrecif.backends.RemoteUserBackendNoCreate',
)

TEMPLATE_CONTEXT_PROCESSORS = (
    'django.contrib.auth.context_processors.auth',
    'django.core.context_processors.static',
)

Upvotes: 2

Views: 515

Answers (1)

Foon
Foon

Reputation: 6458

I think you want to add SSLUserName SSL_CLIENT_S_DN_CN to your apache ssl conf; per http://httpd.apache.org/docs/2.2/mod/mod_ssl.html this will set the REMOTE_USER to the USER's Common Name. (Depending on many certs you support, you may want to use the DN to guarantee uniqueness). You may also need to add some modifications if your DN or CN exceed the Django username string length.

Upvotes: 3

Related Questions