I am trying to use Kerberos and LDAP3 to authenticate my Django Application inside the corporate network. When I am logged in to my corporate computer, I want my application to be able to login without being able to again enter username and password again. I figured out it can be done with Kerberos but couldn't find the comprehensive document regarding this. I am using ldap3 authentication right now where the user has to enter username and password but I want to skip the process of entering username and password. How can I do that?
1 Answer
Kerberos over HTTP uses SPNEGO (part of GSSAPI). There are many ways to implement it:
- Using the web server (e.g. Apache has mod_auth_gssapi, IIS has "Integrated Windows Auth");
- Using WSGI/ASGI middleware (e.g. wsgi-kerberos or asgi-gssapi);
- Within Django (e.g. I found django_gss_spnego on GitHub and it seems like it should work).
In all cases, the app needs to have Kerberos credentials for HTTP/appdomain.example.com – for Windows AD that means creating a "service" user account for the app, assigning it the "HTTP/…" SPN, and (usually) exporting a keytab for the account.
Strictly speaking, LDAP is not involved in the Kerberos authentication process at all. You only need LDAP to look up additional user details after authentication is done. (SPNEGO gives you a Kerberos principal name, which you can look up as sAMAccountName – not userPrincipalName – in AD through LDAP.)
answered Apr 30 at 17:15
