2012-02-25 23:45:20 +01:00
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< html xmlns = "http://www.w3.org/1999/xhtml" xml:lang = "en"
lang="en" dir="ltr">
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > < / title >
<!-- metadata -->
< meta name = "generator" content = "Offline" / >
< meta name = "version" content = "Offline 0.1" / >
<!-- style sheet links -->
< link rel = "stylesheet" media = "all" type = "text/css" href = "../../../css/all.css" / >
< link rel = "stylesheet" media = "screen" type = "text/css" href = "../../../css/screen.css" / >
< link rel = "stylesheet" media = "print" type = "text/css" href = "../../../css/print.css" / >
< / head >
< body >
< div class = "dokuwiki export" >
2015-06-08 16:57:58 +02:00
< h1 class = "sectionedit1" id = "apache" > Apache< / h1 >
2012-02-25 23:45:20 +01:00
< div class = "level1" >
2015-06-08 16:57:58 +02:00
< div class = "table sectionedit2" > < table class = "inline" >
< thead >
2012-02-25 23:45:20 +01:00
< tr class = "row0 roweven" >
2015-06-08 16:57:58 +02:00
< th class = "col0 centeralign" > Authentication < / th > < th class = "col1 centeralign" > Users < / th > < th class = "col2 centeralign" > Password < / th >
2012-02-25 23:45:20 +01:00
< / tr >
2015-06-08 16:57:58 +02:00
< / thead >
2012-02-25 23:45:20 +01:00
< tr class = "row1 rowodd" >
< td class = "col0 centeralign" > ✔ < / td > < td class = "col1" > < / td > < td class = "col2" > < / td >
< / tr >
2015-06-08 16:57:58 +02:00
< / table > < / div >
<!-- EDIT2 TABLE [22 - 79] -->
2012-02-25 23:45:20 +01:00
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT1 SECTION "Apache" [1 - 80] -->
< h2 class = "sectionedit3" id = "presentation" > Presentation< / h2 >
2012-02-25 23:45:20 +01:00
< div class = "level2" >
< p >
2015-06-08 16:57:58 +02:00
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > can delegate authentication to Apache, so it is possible to use any < a href = "http://httpd.apache.org/docs/current/howto/auth.html" class = "urlextern" title = "http://httpd.apache.org/docs/current/howto/auth.html" rel = "nofollow" > Apache authentication module< / a > , for example Kerberos, Radius, OTP, etc.
2012-02-25 23:45:20 +01:00
< / p >
< p >
2015-06-08 16:57:58 +02:00
< p > < div class = "notetip" > Apache authentication module will set the < code > REMOTE_USER< / code > environment variable, which will be used by < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > to get authenticated user.
2012-02-25 23:45:20 +01:00
< / div > < / p >
< / p >
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT3 SECTION "Presentation" [81 - 463] -->
< h2 class = "sectionedit4" id = "configuration" > Configuration< / h2 >
2012-02-25 23:45:20 +01:00
< div class = "level2" >
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT4 SECTION "Configuration" [464 - 490] -->
< h3 class = "sectionedit5" id = "llng" > LL::NG< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
2015-06-08 16:57:58 +02:00
In General Parameters > Authentication modules, choose < code > Apache< / code > as authentication backend.
2012-02-25 23:45:20 +01:00
< / p >
< p >
2015-12-18 10:46:34 +01:00
You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the < a href = "../../documentation/1.9/authmulti.html" class = "wikilink1" title = "documentation:1.9:authmulti" > Multiple authentication module< / a > , for example:
2012-02-25 23:45:20 +01:00
< / p >
2015-06-08 16:57:58 +02:00
< pre class = "code" > Multi Apache;LDAP< / pre >
2012-02-25 23:45:20 +01:00
< p >
2015-06-08 16:57:58 +02:00
< p > < div class = "notetip" > In this case, the Apache authentication module should not require a valid user and not be authoritative, else Apache server will return an error and not let < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > Portal manage the failback authentication.
2012-02-25 23:45:20 +01:00
< / div > < / p >
< / p >
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT5 SECTION "LL::NG" [491 - 1036] -->
< h3 class = "sectionedit6" id = "apache1" > Apache< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
2015-06-08 16:57:58 +02:00
The Apache configuration depends on the module you choose, you need to look at the module documentation, for example:
2012-02-25 23:45:20 +01:00
< / p >
< ul >
2015-06-08 16:57:58 +02:00
< li class = "level1" > < div class = "li" > < a href = "http://modauthkerb.sourceforge.net/" class = "urlextern" title = "http://modauthkerb.sourceforge.net/" rel = "nofollow" > Kerberos< / a > < / div >
2012-02-25 23:45:20 +01:00
< / li >
2015-06-08 16:57:58 +02:00
< li class = "level1" > < div class = "li" > < a href = "http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" class = "urlextern" title = "http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" rel = "nofollow" > NTLM< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > < a href = "http://freeradius.org/mod_auth_radius/" class = "urlextern" title = "http://freeradius.org/mod_auth_radius/" rel = "nofollow" > Radius< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > …< / div >
2012-02-25 23:45:20 +01:00
< / li >
< / ul >
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT6 SECTION "Apache" [1037 - 1371] -->
< h2 class = "sectionedit7" id = "tips" > Tips< / h2 >
< div class = "level2" >
2012-02-25 23:45:20 +01:00
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT7 SECTION "Tips" [1372 - 1389] -->
< h3 class = "sectionedit8" id = "kerberos" > Kerberos< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
2015-12-18 10:46:34 +01:00
The Kerberos configuration is quite complex. You can find some configuration tips < a href = "../../documentation/1.9/kerberos.html" class = "wikilink1" title = "documentation:1.9:kerberos" > on this page< / a > .
2012-02-25 23:45:20 +01:00
< / p >
2013-07-21 18:37:21 +02:00
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT8 SECTION "Kerberos" [1390 - 1519] -->
< h3 class = "sectionedit9" id = "compatibility_with_identity_provider_modules" > Compatibility with Identity Provider modules< / h3 >
2013-07-21 18:37:21 +02:00
< div class = "level3" >
2012-02-25 23:45:20 +01:00
< p >
2015-06-08 16:57:58 +02:00
When using IDP modules (like < abbr title = "Central Authentication Service" > CAS< / abbr > or < abbr title = "Security Assertion Markup Language" > SAML< / abbr > ), the activation of Apache authentication can alter the operation. This is because the client often need to request directly the IDP, and the Apache authentication will block the request.
2013-07-21 18:37:21 +02:00
< / p >
< p >
2015-06-08 16:57:58 +02:00
In this case, you can add in the Apache authentication module:
2012-02-25 23:45:20 +01:00
< / p >
2015-06-08 16:57:58 +02:00
< pre class = "code file apache" > < span class = "kw1" > Satisfy< / span > any
2014-12-19 10:03:15 +01:00
< span class = "kw1" > Order< / span > < span class = "kw1" > allow< / span > ,< span class = "kw1" > deny< / span >
2015-06-08 16:57:58 +02:00
< span class = "kw1" > allow< / span > from APPLICATIONS_IP< / pre >
2012-02-25 23:45:20 +01:00
2014-12-19 10:03:15 +01:00
< p >
2015-06-08 16:57:58 +02:00
This will bypass the authentication module for request from APPLICATIONS_< abbr title = "Internet Protocol" > IP< / abbr > .
2012-02-25 23:45:20 +01:00
< / p >
< / div >
2015-06-08 16:57:58 +02:00
< / div > <!-- closes <div class="dokuwiki export"> -->