Django 使用活动目录用户连接 SQL 服务器
Django connect SQL Server using active directory user
我正在使用 Django 和 mssql-django 后端连接到 SQL 服务器。
使用 sql 登录时连接到 SQL 服务器没有问题。但是,当我尝试使用 AD 用户连接时,出现异常:
django.db.utils.InterfaceError:
('28000', "[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]
Login failed for user 'DOMAIN\myuser'. (18456) (SQLDriverConnect);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0);
[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'DOMAIN\myuser'. (18456);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0)")
我在 settings.py 中的数据库设置是:
DATABASES = {
'default': {
'ENGINE': 'mssql',
'NAME': os.environ.get('DB_NAME', 'djangodb'),
'USER': os.environ.get('USER', 'DOMAIN\myuser'),
'PASSWORD': os.environ.get('USER_PASS', 'mypass'),
'HOST': os.environ.get('HOST', 'server.blabla.net'),
'PORT': '',
'OPTIONS': {
'driver': 'ODBC Driver 17 for SQL Server',
},
},
}
我做错了什么?
如果尝试使用 Windows 身份验证(可信 Connection/Integrated 安全性 [SSPI])进行身份验证,则无法将 Active Directory (AD) 用户指定为连接字符串中的 USER
可以使用此方法进行身份验证,但您需要使用 Kerberos 对 AD 进行身份验证,以便接收驱动程序可用于进行身份验证的适当凭据。
在您的 Django DATABASES 选项中指定,请注意您的实例可能不需要 Encrypt=yes 选项,但如果使用 18 驱动程序,我发现它是必要的,特别是如果使用未加密的连接。
"OPTIONS": {
"driver": "ODBC Driver 18 for SQL Server",
"extra_params": "Encrypt=yes;Trusted_Connection=yes",
},
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
A system administrator can deploy an application to run as a service that uses Kerberos Authentication to connect to SQL Server.
You first need to configure Kerberos on the client and then ensure that the application can use the Kerberos credential of the default principal.
Ensure that you use kinit or PAM (Pluggable Authentication Module) to obtain and cache the TGT for the principal that the connection uses, via one of the following methods:
Run kinit, passing in a principal name and password.
Run kinit, passing in a principal name and a location of a keytab file that contains the principal's key created by ktutil.
Ensure that the login to the system was done using the Kerberos PAM (Pluggable Authentication Module).
When an application runs as a service, because Kerberos credentials expire by design, renew the credentials to ensure continued service availability. The ODBC driver does not renew credentials itself; ensure that there is a cron job or script that periodically runs to renew the credentials before their expiration. To avoid requiring the password for each renewal, you can use a keytab file.
同样感兴趣的是查看 mssql-django 中的源代码,这将更深入地了解连接到 SQL 服务器实例时选择的选项。 mssql-django: base.py
检查这个相关的 SO 问题:Connection string using Windows Authentication
我正在使用 Django 和 mssql-django 后端连接到 SQL 服务器。 使用 sql 登录时连接到 SQL 服务器没有问题。但是,当我尝试使用 AD 用户连接时,出现异常:
django.db.utils.InterfaceError:
('28000', "[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]
Login failed for user 'DOMAIN\myuser'. (18456) (SQLDriverConnect);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0);
[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'DOMAIN\myuser'. (18456);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0)")
我在 settings.py 中的数据库设置是:
DATABASES = {
'default': {
'ENGINE': 'mssql',
'NAME': os.environ.get('DB_NAME', 'djangodb'),
'USER': os.environ.get('USER', 'DOMAIN\myuser'),
'PASSWORD': os.environ.get('USER_PASS', 'mypass'),
'HOST': os.environ.get('HOST', 'server.blabla.net'),
'PORT': '',
'OPTIONS': {
'driver': 'ODBC Driver 17 for SQL Server',
},
},
}
我做错了什么?
如果尝试使用 Windows 身份验证(可信 Connection/Integrated 安全性 [SSPI])进行身份验证,则无法将 Active Directory (AD) 用户指定为连接字符串中的 USER
可以使用此方法进行身份验证,但您需要使用 Kerberos 对 AD 进行身份验证,以便接收驱动程序可用于进行身份验证的适当凭据。
在您的 Django DATABASES 选项中指定,请注意您的实例可能不需要 Encrypt=yes 选项,但如果使用 18 驱动程序,我发现它是必要的,特别是如果使用未加密的连接。
"OPTIONS": {
"driver": "ODBC Driver 18 for SQL Server",
"extra_params": "Encrypt=yes;Trusted_Connection=yes",
},
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service A system administrator can deploy an application to run as a service that uses Kerberos Authentication to connect to SQL Server.
You first need to configure Kerberos on the client and then ensure that the application can use the Kerberos credential of the default principal.
Ensure that you use kinit or PAM (Pluggable Authentication Module) to obtain and cache the TGT for the principal that the connection uses, via one of the following methods:
Run kinit, passing in a principal name and password.
Run kinit, passing in a principal name and a location of a keytab file that contains the principal's key created by ktutil.
Ensure that the login to the system was done using the Kerberos PAM (Pluggable Authentication Module).
When an application runs as a service, because Kerberos credentials expire by design, renew the credentials to ensure continued service availability. The ODBC driver does not renew credentials itself; ensure that there is a cron job or script that periodically runs to renew the credentials before their expiration. To avoid requiring the password for each renewal, you can use a keytab file.
同样感兴趣的是查看 mssql-django 中的源代码,这将更深入地了解连接到 SQL 服务器实例时选择的选项。 mssql-django: base.py
检查这个相关的 SO 问题:Connection string using Windows Authentication