1 =========================================================

     2 Authenticating against Django's user database from Apache

     3 =========================================================

     4 

     5 Since keeping multiple authentication databases in sync is a common problem when

     6 dealing with Apache, you can configuring Apache to authenticate against Django's

     7 :doc:`authentication system </topics/auth>` directly. For example, you

     8 could:

     9 

    10     * Serve static/media files directly from Apache only to authenticated users.

    11 

    12     * Authenticate access to a Subversion_ repository against Django users with

    13       a certain permission.

    14 

    15     * Allow certain users to connect to a WebDAV share created with mod_dav_.

    16 

    17 .. _Subversion: http://subversion.tigris.org/

    18 .. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html

    19 

    20 Configuring Apache

    21 ==================

    22 

    23 To check against Django's authorization database from a Apache configuration

    24 file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along

    25 with the standard ``Auth*`` and ``Require`` directives:

    26 

    27 .. code-block:: apache

    28 

    29     <Location /example/>

    30         AuthType Basic

    31         AuthName "example.com"

    32         Require valid-user

    33 

    34         SetEnv DJANGO_SETTINGS_MODULE mysite.settings

    35         PythonAuthenHandler django.contrib.auth.handlers.modpython

    36     </Location>

    37 

    38 .. admonition:: Using the authentication handler with Apache 2.2

    39 

    40     If you're using Apache 2.2, you'll need to take a couple extra steps.

    41 

    42     You'll need to ensure that ``mod_auth_basic`` and ``mod_authz_user``

    43     are loaded. These might be compiled statically into Apache, or you might

    44     need to use ``LoadModule`` to load them dynamically (as shown in the

    45     example at the bottom of this note).

    46 

    47     You'll also need to insert configuration directives that prevent Apache

    48     from trying to use other authentication modules, as well as specifying

    49     the ``AuthUserFile`` directive and pointing it to ``/dev/null``. Depending

    50     on which other authentication modules you have loaded, you might need one

    51     or more of the following directives:

    52 

    53     .. code-block:: apache

    54 

    55         AuthBasicAuthoritative Off

    56         AuthDefaultAuthoritative Off

    57         AuthzLDAPAuthoritative Off

    58         AuthzDBMAuthoritative Off

    59         AuthzDefaultAuthoritative Off

    60         AuthzGroupFileAuthoritative Off

    61         AuthzOwnerAuthoritative Off

    62         AuthzUserAuthoritative Off

    63 

    64     A complete configuration, with differences between Apache 2.0 and

    65     Apache 2.2 marked in bold, would look something like:

    66 

    67     .. parsed-literal::

    68 

    69         **LoadModule auth_basic_module modules/mod_auth_basic.so**

    70         **LoadModule authz_user_module modules/mod_authz_user.so**

    71 

    72         ...

    73 

    74         <Location /example/>

    75             AuthType Basic

    76             AuthName "example.com"

    77             **AuthUserFile /dev/null**

    78             **AuthBasicAuthoritative Off**

    79             Require valid-user

    80 

    81             SetEnv DJANGO_SETTINGS_MODULE mysite.settings

    82             PythonAuthenHandler django.contrib.auth.handlers.modpython

    83         </Location>

    84 

    85 By default, the authentication handler will limit access to the ``/example/``

    86 location to users marked as staff members.  You can use a set of

    87 ``PythonOption`` directives to modify this behavior:

    88 

    89     ================================  =========================================

    90     ``PythonOption``                  Explanation

    91     ================================  =========================================

    92     ``DjangoRequireStaffStatus``      If set to ``on`` only "staff" users (i.e.

    93                                       those with the ``is_staff`` flag set)

    94                                       will be allowed.

    95 

    96                                       Defaults to ``on``.

    97 

    98     ``DjangoRequireSuperuserStatus``  If set to ``on`` only superusers (i.e.

    99                                       those with the ``is_superuser`` flag set)

   100                                       will be allowed.

   101 

   102                                       Defaults to ``off``.

   103 

   104     ``DjangoPermissionName``          The name of a permission to require for

   105                                       access. See :ref:`custom permissions

   106                                       <custom-permissions>` for more

   107                                       information.

   108 

   109                                       By default no specific permission will be

   110                                       required.

   111     ================================  =========================================

   112 

   113 Note that sometimes ``SetEnv`` doesn't play well in this mod_python

   114 configuration, for reasons unknown. If you're having problems getting

   115 mod_python to recognize your ``DJANGO_SETTINGS_MODULE``, you can set it using

   116 ``PythonOption`` instead of ``SetEnv``. Therefore, these two Apache directives

   117 are equivalent::

   118 

   119     SetEnv DJANGO_SETTINGS_MODULE mysite.settings

   120     PythonOption DJANGO_SETTINGS_MODULE mysite.settings