You have to use <code>Combination</code> as authentication module (users module must be set to “Same”). Then go in <code>Combination parameters</code> to :
</p>
<ul>
<liclass="level1"><divclass="li"> declare the modules that will be used</div>
</li>
<liclass="level1"><divclass="li"> set the rule chain</div>
<liclass="level1"><divclass="li"> overwritten parameters: you can redefine any LLNG string parameter. For example, if you use 2 different LDAP, the first can use normal configuration and for the second, overwritten parameter can redefine ldapServer,…</div>
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td><tdclass="col3"> dbiAuthChain ⇒ “mysql:…” </td>
Usually, you can't declare two modules of the same type if they don't have the same parameters. For example, usually you can't declare a MySQL <abbrtitle="Database Interface">DBI</abbr> and a PostgreSQL <abbrtitle="Database Interface">DBI</abbr>, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if <abbrtitle="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
<thclass="col0"> Exemple </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0 leftalign"><code>[myLDAP] or [myDBI]</code></td><tdclass="col1"> If myLDAP fails, use myDBI </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code></td><tdclass="col1"> Try mySSL for auth and myLDAP for userDB. If fails, switch to myLDAP for both </td>
</tr>
<trclass="row3 rowodd">
<tdclass="col0 leftalign"><code>[myLDAP] or [myDBI1] or [myDBI2]</code></td><tdclass="col1"> Try myLDAP, then if it fails, myDBI1, then if it fails myDBI2 </td>
</tr>
<trclass="row4 roweven">
<tdclass="col0 leftalign"><code>[mySSL and myLDAP, myLDAP ]</code></td><tdclass="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
<thclass="col0"> Exemple </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0 leftalign"><code>[myDBI1] and [myDBI2] or [myLDAP]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
<thclass="col0"> Exemple </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else [mySSL, myLDAP]</code></td><tdclass="col1"> If user doesn't come from 10.0.0.0/8 network, use SSL as authentication module </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code></td><tdclass="col1"> Chain tests </td>
Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using <code>combinationForms</code> in lemonldap-ng.ini. Exemple :
<ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML</a>, <ahref="authopenidconnect.html"class="wikilink1"title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS</a> or <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">old OpenID</a> can't be chained with a “and” for authentication part. So “[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> only but user must match an LDAP entry </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
En utilisant ce module, le portail <abbrtitle="LemonLDAP::NG">LL::NG</abbr> est appelé uniquement si Apache ne retourne pas “401 Authentication required”, aucune bascule n'est donc possible. So it can be used only with a “and” boolean expression.
<divclass="notetip">The new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos authentication module</a> solve this for Kerberos: you just have to use it instead of Apache and enable authentication by Ajax in Kerberos parameters.
Pour chaîner SSL, il est nécessaire de mettre “SSLRequire optional” dans le fichier de configuration Apache, sinon les utilisateurs ne seront authentifiés que par SSL.