Task: add Kerberos active directory authentication to an insecure reporting and data manipulation desktop application. This app is...
written in Stackless Python 2.7
uses Twisted for client-server interactions
Client is compiled to an exe and runs on Windows
Servers run on Linux (Red Hat)
Currently we pull the Windows network ID (logon name) from the user's account and pass to the server, which looks up what permissions that user is configured to have, and passes back menu options which provide access just to those features. Main weakness is that one could send a different username to the server and access other permissions.
Therefore Kerberos. (And LDAP, from what I read.)
Question:
Does Twisted provide a built-in Kerberos setup?
authkerb perhaps?
I found authkerb after a ton of searching, but I don't see feedback from anyone using it. I'm not sure where to start. If anyone has experience with this, or if you've run across any relevant info to implementing Kerberos specifically with Twisted, I'd appreciate it immensely!
I've never touched anything like Kerberos before, so I read up on it:
kerberos.org/software/tutorial.html
technet.microsoft.com/library/cc961976
web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html
web.mit.edu/kerberos/krb5-1.12/doc/user/tkt_mgmt.html
Also found tips on what to avoid:
faqs.org/faqs/kerberos-faq/general/section-83.html
Twisted does not.
However, http://calendarserver.org, which is bassed on Twisted, does have kerberos authentication, and was the originator of the https://pypi.python.org/pypi/pykerberos project. It should serve as a workable example.
Related
There are many solutions for third-party decentralized authentication that are pretty simple to set up: log in with Facebook credentials, OpenID, OAuth etc.
How can I do something similar inside the firewall, in a Windows domain environment?
The scenario:
Python web application inside the firewall, hosted on a Linux server.
Users have Windows desktops and authenticate to a Windows domain
I know I can validate a username/password against Active Directory using LDAP, but that is not what I want. I don't want my app to handle the username/password at all. I want it to work as OpenID does, i.e. my app redirects the user to some sort of Windows identity provider web page.
Is there a out-of-the-box Windows/IIS solution for this?
EDIT:
Could Windows Identity Foundation be what I'm looking for? Or perhaps WIF has the building blocks?
At the risk of giving too many answers, it sounds to me like ADFS 2.0 is your path of least resistance. As far as integrating claims based access into your python application, I've seen pysaml2 recommended as a way to do this, but I can't speak from experience.
I'm not a Windows guy, but Crowd from Atlassian:
Will run on Windows
Can authenticate against Active Directory
Includes an OpenID provider
So if you're application can handle OpenID, you'd have everything you need.
WIF together with Azure ACS will provide this out the box. e.g. Adding a Custom OpenID Provider to ACS… with JUST ONE LINE of PowerShell Code.
Or you could integrate with Dot Net Open Auth either with your own STS or using something like Identity Server.
I need to build a python web server which supports 2 different types of users :
"Super admins", which get full access to the admin panel when they connect using a pre-configured laptop/browser.
Admins, which get limited access to the admin panel and can connect using only a username/password combo.
I'm thinking SSL client authentication is a possible solution for authentifying the technicians.
Note that the web server will be embedded in a product and will not have internet access, so cannot connect to a CA.
Is SSL client authentication a good solution, or is there a simpler, or better option?
Here's what I've found...
CherryPy seems to be a very nice, simple python web server. However, it does not seem to support client authentification.
M2Crypto seems like a very complete library which supports all forms of SSL authentification, however I haven't found a detailed example of how to set up a python web server using M2Crypto for SSL client authentification.
pyOpenSSL seems to be dead.
I also found a recipe, which explains how to set up a python web server with SSL. However...
With this recipe, only the server is authenticated while the client
remains unauthenticated (i.e. the server will not request a client
certificate).
Source : http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
Can someone point me in the right direction or link to a well documented implementation of what I'm trying to do?
Thank you :)
Take a look at the twisted libraries: http://twistedmatrix.com/documents/current/core/examples/index.html
There is a simple echoservl_ssl and echoclient_ssl example in the link as well.
Optionally, bundle apache + any web framework and you're golden. There are loads of articles online about small embedded web servers.
I'm trying to add an Ldap authentication backend to a Django project running over GAE.
The project runs ok. The only problem really is Ldap is not supported by GAE. I mean:
import ldap
will generate a server error. Nonetheless, I do know that I could make my own modules available through zipimport.
Does anybody have any experience solving similar issues? Can this sort of workaround be an effective solution considering lower level dependencies?
Thanks!
A.
App Engine doesn't let you open sockets directly. Unless the LDAP server you're planning to connect to has an internet-visible HTTP front-end, you need a Plan B. (E.g., you could periodically upload extract from LDAP to your App.)
See http://code.google.com/appengine/docs/python/runtime.html#The_Sandbox
I received a project recently and I am wondering how to do something in a correct and secure manner.
The situation is the following:
There are classes to manage linux users, mysql users and databases and apache virtual hosts. They're used to automate the addition of users in a small shared-hosting environnement. These classes are then used in command-line scripts to offer a nice interface for the system administrator.
I am now asked to build a simple web interface to offer a GUI to the administrator and then offer some features directly to the users (change their unix password and other daily procedures).
I don't know how to implement the web application. It will run in Apache (with the apache user) but the classes need to access files and commands that are only usable by the root user to do the necessary changes (e.g useradd and virtual hosts configuration files). When using the command-line scripts, it is not a problem as they are run under the correct user. Giving permissions to the apache user would probably be dangerous.
What would be the best technique to allow this through the web application ? I would like to use the classes directly if possible (it would be handier than calling the command line scripts like external processes and parsing output) but I can't see how to do this in a secure manner.
I saw existing products doing similar things (webmin, eBox, ...) but I don't know how it works.
PS: The classes I received are simple but really badly programmed and barely commented. They are actually in PHP but I'm planning to port them to python. Then I'd like to use the Django framework to build the web admin interface.
Thanks and sorry if the question is not clear enough.
EDIT: I read a little bit about webmin and saw that it uses its own mini web server (called miniserv.pl). It seems like a good solution. The user running this server should then have permissions to modify the files and use the commands. How could I do something similar with Django? Use the development server? Would it be better to use something like CherryPy?
Hello
You can easily create web applications in Python using WSGI-compliant web frameworks such as CherryPy2 and templating engines such as Genshi. You can use the 'subprocess' module to manadge external commands...
You can use sudo to give the apache user root permission for only the commands/scripts you need for your web app.
I want to provide my colleagues with an interface (using Windows Forms or WPF) to control the states of virtual machines (KVM based) on a linux host. On the command line of this server, I'm using a tool, called libvirt, which provides python bindings to access its functionality.
What whould be the best pratice to remotely access several function like libvirt or reading logfiles on the server. I thought about a REST Full Webservice generated by Python. Are there other viable options to consider?
Thanks,
Henrik
I'd develop an intranet web application, using any python web framework of choice.
That way you don't have to develop/install software on your client. They just point the browser and it works.
Because you are using a server-side tool that has Python bindings, you should give a serious look at PYRO which is a Python RPC library.
http://pyro.sourceforge.net/
To use this you would also have to use Python on the client, but that shouldn't be a problem. If you haven't start writing your client, then you could do it all in IronPython. Or, if you need to add this to an already existing client, then you could still bind in either IronPython or CPython as an embedded scripting engine.
For more on PYRO and Ironpython, see this wiki page http://www.razorvine.net/python/PyroAndIronpython
Proxmox VE is a complete solution to manage KVM (and OpenVZ) based virtual machines, including a comprehensive web console, so maybe you can get a full solution without developing anything?