Django actually is already using LDAP for
authentication (company LDAP
server, not under my control). In fact, I also have MediaWiki tied into
the same LDAP server.
What I'm trying to avoid is logging into the Django site, clicking to
get to the wiki (which is a part of the overall web site, the Django
piece being the main content part), and having the user log in again
(with exactly the same credentials).
What happened originally is that the Django site had no security while
MediaWiki was read-only to everybody and read/write when you logged in.
Now upper management MUST HAVE security on the Django part, so I was
trying to avoid having people log in twice. This means that MediaWiki
is read-only if user has a certain Django permission and read/write
given another Django permission (which would tie into 'guest' for
read-only and actually authenticated if read/write as far as MediaWiki
is concerned).
You'll most likely have to write an authentication plugin for
MediaWiki to trust the cookie created from Django. This can be
tricky... See the CentralAuth extension
(
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/CentralAuth/)
for an example of an authentication plugin that trusts other cookies.
That plugin is more complex than you need, but it's a good example.
I definitely recommend going with some form of web sso though. You can
set up an OpenSSO server that points to your LDAP server, and protect
the web server with a web agent. Then you can install an HTTP auth
plugin. With web sso, you can decide which URLs are protected, from
what IPs, and can set up access policies based on groups and such.
Corporate web authentication only gets harder over time. Next they'll
probably be asking to have third parties accessing your sites, or
they'll want roles that cross applications. Web sso might be a PITA at
first, but it'll save you a lot of trouble later.
V/r,
Ryan Lane