Django to do its own NTLM Authentication (HTTP Headers & all)

Question

I'm considering moving from Apache to Lighttpd for an internal web application, written with python. The problem is that I'm relying on libapache2-mod-auth-ntlm-winbind ... which doesn't actually seem to be a well support & updated package (though that could be because it really does work well).

I'm looking for suggestions and hints about what it would take to use django itself to handle the HTTP authentication. This would allow me to be web-server-agnostic, and could potentially be a grand learning experience.

Some topical concerns:

1. Is it reasonable to have the custom application perform true HTTP authentication?
2. How involved is getting my python code connected to windows domain controller to this kind of authentication without prompting the user for a password?
3. Does NTLM provide any access to user details & group memberships so that I can stop searching through yet another connection to the windows domain controller via LDAP?

I would love to be able to write a module to simplify this technique which could be shared with the community.

Answer 1

Partial answer:

You can (and should) pass the NTLM auth off to an external helper. Basically, install Samba on the machine, configure it, join the domain, enable winbind, then use the "ntlm_auth" helper binary, probably in "pipe" mode.

Authenticating an NTLM session requires a secure pipe to the domain controller, which needs credentials (e.g. a Samba/domain-member machine account). This is the quickest route to get there.

Squid (the webcache) has code for doing NTLM auth using the external helper; FreeRadius does something similar.

The NTLM auth itself does not provide any group info; if you're running winbind you could of course use calls to "wbinfo" to get user groups.