|
1 ========================================================= |
|
2 Authenticating against Django's user database from Apache |
|
3 ========================================================= |
|
4 |
|
5 Since keeping multiple authentication databases in sync is a common problem when |
|
6 dealing with Apache, you can configuring Apache to authenticate against Django's |
|
7 :doc:`authentication system </topics/auth>` directly. For example, you |
|
8 could: |
|
9 |
|
10 * Serve static/media files directly from Apache only to authenticated users. |
|
11 |
|
12 * Authenticate access to a Subversion_ repository against Django users with |
|
13 a certain permission. |
|
14 |
|
15 * Allow certain users to connect to a WebDAV share created with mod_dav_. |
|
16 |
|
17 .. _Subversion: http://subversion.tigris.org/ |
|
18 .. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html |
|
19 |
|
20 Configuring Apache |
|
21 ================== |
|
22 |
|
23 To check against Django's authorization database from a Apache configuration |
|
24 file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along |
|
25 with the standard ``Auth*`` and ``Require`` directives: |
|
26 |
|
27 .. code-block:: apache |
|
28 |
|
29 <Location /example/> |
|
30 AuthType Basic |
|
31 AuthName "example.com" |
|
32 Require valid-user |
|
33 |
|
34 SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|
35 PythonAuthenHandler django.contrib.auth.handlers.modpython |
|
36 </Location> |
|
37 |
|
38 .. admonition:: Using the authentication handler with Apache 2.2 |
|
39 |
|
40 If you're using Apache 2.2, you'll need to take a couple extra steps. |
|
41 |
|
42 You'll need to ensure that ``mod_auth_basic`` and ``mod_authz_user`` |
|
43 are loaded. These might be compiled statically into Apache, or you might |
|
44 need to use ``LoadModule`` to load them dynamically (as shown in the |
|
45 example at the bottom of this note). |
|
46 |
|
47 You'll also need to insert configuration directives that prevent Apache |
|
48 from trying to use other authentication modules, as well as specifying |
|
49 the ``AuthUserFile`` directive and pointing it to ``/dev/null``. Depending |
|
50 on which other authentication modules you have loaded, you might need one |
|
51 or more of the following directives: |
|
52 |
|
53 .. code-block:: apache |
|
54 |
|
55 AuthBasicAuthoritative Off |
|
56 AuthDefaultAuthoritative Off |
|
57 AuthzLDAPAuthoritative Off |
|
58 AuthzDBMAuthoritative Off |
|
59 AuthzDefaultAuthoritative Off |
|
60 AuthzGroupFileAuthoritative Off |
|
61 AuthzOwnerAuthoritative Off |
|
62 AuthzUserAuthoritative Off |
|
63 |
|
64 A complete configuration, with differences between Apache 2.0 and |
|
65 Apache 2.2 marked in bold, would look something like: |
|
66 |
|
67 .. parsed-literal:: |
|
68 |
|
69 **LoadModule auth_basic_module modules/mod_auth_basic.so** |
|
70 **LoadModule authz_user_module modules/mod_authz_user.so** |
|
71 |
|
72 ... |
|
73 |
|
74 <Location /example/> |
|
75 AuthType Basic |
|
76 AuthName "example.com" |
|
77 **AuthUserFile /dev/null** |
|
78 **AuthBasicAuthoritative Off** |
|
79 Require valid-user |
|
80 |
|
81 SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|
82 PythonAuthenHandler django.contrib.auth.handlers.modpython |
|
83 </Location> |
|
84 |
|
85 By default, the authentication handler will limit access to the ``/example/`` |
|
86 location to users marked as staff members. You can use a set of |
|
87 ``PythonOption`` directives to modify this behavior: |
|
88 |
|
89 ================================ ========================================= |
|
90 ``PythonOption`` Explanation |
|
91 ================================ ========================================= |
|
92 ``DjangoRequireStaffStatus`` If set to ``on`` only "staff" users (i.e. |
|
93 those with the ``is_staff`` flag set) |
|
94 will be allowed. |
|
95 |
|
96 Defaults to ``on``. |
|
97 |
|
98 ``DjangoRequireSuperuserStatus`` If set to ``on`` only superusers (i.e. |
|
99 those with the ``is_superuser`` flag set) |
|
100 will be allowed. |
|
101 |
|
102 Defaults to ``off``. |
|
103 |
|
104 ``DjangoPermissionName`` The name of a permission to require for |
|
105 access. See :ref:`custom permissions |
|
106 <custom-permissions>` for more |
|
107 information. |
|
108 |
|
109 By default no specific permission will be |
|
110 required. |
|
111 ================================ ========================================= |
|
112 |
|
113 Note that sometimes ``SetEnv`` doesn't play well in this mod_python |
|
114 configuration, for reasons unknown. If you're having problems getting |
|
115 mod_python to recognize your ``DJANGO_SETTINGS_MODULE``, you can set it using |
|
116 ``PythonOption`` instead of ``SetEnv``. Therefore, these two Apache directives |
|
117 are equivalent:: |
|
118 |
|
119 SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|
120 PythonOption DJANGO_SETTINGS_MODULE mysite.settings |