2012-02-25 23:45:20 +01:00
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< html xmlns = "http://www.w3.org/1999/xhtml" xml:lang = "en"
lang="en" dir="ltr">
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > < / title >
<!-- metadata -->
< meta name = "generator" content = "Offline" / >
< meta name = "version" content = "Offline 0.1" / >
<!-- style sheet links -->
< link rel = "stylesheet" media = "all" type = "text/css" href = "../../../css/all.css" / >
< link rel = "stylesheet" media = "screen" type = "text/css" href = "../../../css/screen.css" / >
< link rel = "stylesheet" media = "print" type = "text/css" href = "../../../css/print.css" / >
< / head >
< body >
< div class = "dokuwiki export" >
< h1 > < a name = "stack_multiple_backends_authmulti" id = "stack_multiple_backends_authmulti" > Stack multiple backends (AuthMulti)< / a > < / h1 >
< div class = "level1" >
< table class = "inline" >
< tr class = "row0 roweven" >
< th class = "col0" > Authentication < / th > < th class = "col1" > Users < / th > < th class = "col2" > Password < / th >
< / tr >
< tr class = "row1 rowodd" >
< td class = "col0 centeralign" > ✔ < / td > < td class = "col1 centeralign" > ✔ < / td > < td class = "col2" > < / td >
< / tr >
< / table >
< / div >
<!-- SECTION "Stack multiple backends (AuthMulti)" [1 - 109] -->
< h2 > < a name = "presentation" id = "presentation" > Presentation< / a > < / h2 >
< div class = "level2" >
< p >
This backend allows to chain authentication method, for example to failback to < acronym title = "Lightweight Directory Access Protocol" > LDAP< / acronym > authentication if Remote authentication failed…
< / p >
< / div >
<!-- SECTION "Presentation" [110 - 270] -->
< h2 > < a name = "configuration" id = "configuration" > Configuration< / a > < / h2 >
< div class = "level2" >
< p >
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
< / p >
< p >
For example:
< / p >
< pre class = "code" >
Multi CAS;LDAP
< / pre >
< p >
If < acronym title = "Central Authentication Service" > CAS< / acronym > failed, < acronym title = "Lightweight Directory Access Protocol" > LDAP< / acronym > will be used.
< / p >
< p >
You can also add a condition. Example:
< / p >
< pre class = "code" >
Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
< / pre >
< p >
< p > < div class = "notetip" > If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “< acronym title = "Database Interface" > DBI< / acronym > ;< acronym title = "Lightweight Directory Access Protocol" > LDAP< / acronym > ” and < acronym title = "Database Interface" > DBI< / acronym > failed for authentication, Multi will try first to call < acronym title = "Lightweight Directory Access Protocol" > LDAP< / acronym > as user database.
< / div > < / p >
< / p >
< / div >
<!-- SECTION "Configuration" [271 - 849] -->
< h3 > < a name = "advanced_configuration" id = "advanced_configuration" > Advanced configuration< / a > < / h3 >
< div class = "level3" >
< p >
The “Multi” system can :
< / p >
< ul >
< li class = "level1" > < div class = "li" > stack several times the same module with a different name< / div >
< / li >
2012-06-18 12:33:45 +02:00
< li class = "level1" > < div class = "li" > overload any < acronym title = "LemonLDAP::NG" > LL::NG< / acronym > < a href = "../../documentation/1.3/parameterlist.html" class = "wikilink1" title = "documentation:1.3:parameterlist" > parameter< / a > when a specific backend is used< / div >
2012-02-25 23:45:20 +01:00
< / li >
< / ul >
< p >
< p > < div class = "notetip" > Overloading is not available trough the manager
< / div > < / p >
< / p >
< p >
To stack several times the same module, use ”#name” with different names. Example:
< / p >
< pre class = "code" >
Multi LDAP#Openldap; LDAP#ActiveDirectory
< / pre >
< p >
2012-06-18 12:33:45 +02:00
Then you can have different < a href = "../../documentation/1.3/parameterlist.html" class = "wikilink1" title = "documentation:1.3:parameterlist" > parameters< / a > for each stored in a < acronym title = "Practical Extraction and Report Language" > Perl< / acronym > hash entry named multi:
2012-02-25 23:45:20 +01:00
< / p >
< pre class = "code perl" > multi < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'LDAP#Openldap'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
ldapServer < span class = "sy0" > => < / span > < span class = "st_h" > 'ldap1.example.com'< / span > < span class = "sy0" > ,< / span >
LDAPFilter < span class = "sy0" > => < / span > < span class = "st_h" > '(uid=$user)'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAP#ActiveDirectory'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
ldapServer < span class = "sy0" > => < / span > < span class = "st_h" > 'ldaps://ad.example.com'< / span > < span class = "sy0" > ,< / span >
LDAPFilter < span class = "sy0" > => < / span > < span class = "st_h" > '(& (sAMAccountName=$user)(objectClass=person))'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span > < / pre >
< p >
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
< / p >
< ul >
< li class = "level1" > < div class = "li" > for index.pl, set it in new():< / div >
< / li >
< / ul >
< pre class = "code perl" > < span class = "kw1" > my< / span > < span class = "re0" > $portal< / span > < span class = "sy0" > =< / span > Lemonldap< span class = "sy0" > ::< / span > < span class = "me2" > NG< / span > < span class = "sy0" > ::< / span > < span class = "me2" > Portal< / span > < span class = "sy0" > ::< / span > < span class = "me2" > SharedConf< / span > < span class = "sy0" > -> < / span > < span class = "me1" > new< / span > < span class = "br0" > ( < / span > < span class = "br0" > { < / span >
multi < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'LDAP#Openldap'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
ldapServer < span class = "sy0" > => < / span > < span class = "st_h" > 'ldap1.example.com'< / span > < span class = "sy0" > ,< / span >
LDAPFilter < span class = "sy0" > => < / span > < span class = "st_h" > '(uid=$user)'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAP#ActiveDirectory'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
ldapServer < span class = "sy0" > => < / span > < span class = "st_h" > 'ldaps://ad.example.com'< / span > < span class = "sy0" > ,< / span >
LDAPFilter < span class = "sy0" > => < / span > < span class = "st_h" > '(& (sAMAccountName=$user)(objectClass=person))'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "br0" > ) < / span > < / pre >
< ul >
< li class = "level1" > < div class = "li" > or to use lemonldap-ng.ini, install it (one line only) in [portal] section:< / div >
< / li >
< / ul >
< pre class = "code ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
< span class = "re1" > multi< / span > < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > 'LDAP#Openldap'< span class = "sy0" > =< / span > > < span class = "br0" > { < / span > ldapServer< span class = "sy0" > =< / span > > 'ldap1.example.com',LDAPFilter< span class = "sy0" > =< / span > > '< span class = "br0" > ( < / span > uid< span class = "sy0" > =< / span > $user< span class = "br0" > ) < / span > '< span class = "br0" > } < / span > ,'LDAP#ActiveDirectory'< span class = "sy0" > =< / span > > < span class = "br0" > { < / span > ldapServer< span class = "sy0" > =< / span > > 'ldaps://ad.example.com',LDAPFilter< span class = "sy0" > =< / span > > '< span class = "br0" > ( < / span > & < span class = "br0" > ( < / span > sAMAccountName< span class = "sy0" > =< / span > $user< span class = "br0" > ) < / span > < span class = "br0" > ( < / span > objectClass< span class = "sy0" > =< / span > person< span class = "br0" > ) < / span > < span class = "br0" > ) < / span > '< span class = "br0" > } < / span > < span class = "br0" > } < / span > < / span > < / pre >
< / div >
<!-- SECTION "Advanced configuration" [850 - 2452] -->
< h2 > < a name = "known_problems" id = "known_problems" > Known problems< / a > < / h2 >
< div class = "level2" >
< / div >
<!-- SECTION "Known problems" [2453 - 2480] -->
< h3 > < a name = "authapache_authentication" id = "authapache_authentication" > AuthApache authentication< / a > < / h3 >
< div class = "level3" >
< p >
When using this module, < acronym title = "LemonLDAP::NG" > LL::NG< / acronym > portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. We' re studying a future solution for this…
< / p >
< / div >
<!-- SECTION "AuthApache authentication" [2481 - 2762] -->
< h3 > < a name = "ssl_authentication" id = "ssl_authentication" > SSL authentication< / a > < / h3 >
< div class = "level3" >
< p >
To chain < acronym title = "Secure Sockets Layer" > SSL< / acronym > , you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by < acronym title = "Secure Sockets Layer" > SSL< / acronym > only.
< / p >
< / div >
<!-- SECTION "SSL authentication" [2763 - ] --> < / div > <!-- closes <div class="dokuwiki export"> -->