2012-02-25 23:45:20 +01:00
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< html xmlns = "http://www.w3.org/1999/xhtml" xml:lang = "en"
lang="en" dir="ltr">
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > < / title >
<!-- metadata -->
< meta name = "generator" content = "Offline" / >
< meta name = "version" content = "Offline 0.1" / >
<!-- style sheet links -->
< link rel = "stylesheet" media = "all" type = "text/css" href = "../../../css/all.css" / >
< link rel = "stylesheet" media = "screen" type = "text/css" href = "../../../css/screen.css" / >
< link rel = "stylesheet" media = "print" type = "text/css" href = "../../../css/print.css" / >
< / head >
< body >
< div class = "dokuwiki export" >
2015-06-08 16:57:58 +02:00
< h1 class = "sectionedit1" id = "multiple_backends_stack" > Multiple backends stack< / h1 >
2012-02-25 23:45:20 +01:00
< div class = "level1" >
2015-06-08 16:57:58 +02:00
< div class = "table sectionedit2" > < table class = "inline" >
< thead >
2012-02-25 23:45:20 +01:00
< tr class = "row0 roweven" >
2015-06-08 16:57:58 +02:00
< th class = "col0 centeralign" > Authentication < / th > < th class = "col1 centeralign" > Users < / th > < th class = "col2 centeralign" > Password < / th >
2012-02-25 23:45:20 +01:00
< / tr >
2015-06-08 16:57:58 +02:00
< / thead >
2012-02-25 23:45:20 +01:00
< tr class = "row1 rowodd" >
< td class = "col0 centeralign" > ✔ < / td > < td class = "col1 centeralign" > ✔ < / td > < td class = "col2" > < / td >
< / tr >
2015-06-08 16:57:58 +02:00
< / table > < / div >
<!-- EDIT2 TABLE [40 - 103] -->
2012-02-25 23:45:20 +01:00
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT1 SECTION "Multiple backends stack" [1 - 104] -->
< h2 class = "sectionedit3" id = "presentation" > Presentation< / h2 >
2012-02-25 23:45:20 +01:00
< div class = "level2" >
< p >
2015-06-08 16:57:58 +02:00
This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
2012-02-25 23:45:20 +01:00
< / p >
< / div >
2015-06-08 16:57:58 +02:00
<!-- EDIT3 SECTION "Presentation" [105 - 265] -->
< h2 class = "sectionedit4" id = "configuration" > Configuration< / h2 >
2012-02-25 23:45:20 +01:00
< div class = "level2" >
< p >
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
< / p >
< p >
For example:
< / p >
2015-12-18 10:46:34 +01:00
< pre class = "code" > Authentication => Multi
Multi authentication stack => CAS;LDAP< / pre >
2012-02-25 23:45:20 +01:00
< p >
2015-06-08 16:57:58 +02:00
If < abbr title = "Central Authentication Service" > CAS< / abbr > failed, LDAP will be used.
2012-02-25 23:45:20 +01:00
< / p >
< p >
You can also add a condition. Example:
< / p >
2015-12-18 10:46:34 +01:00
< pre class = "code" > multiAuthStack => Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/' < / pre >
2012-02-25 23:45:20 +01:00
< p >
2015-06-08 16:57:58 +02:00
< p > < div class = "notetip" > If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “< abbr title = "Database Interface" > DBI< / abbr > ;LDAP” and < abbr title = "Database Interface" > DBI< / abbr > failed for authentication, Multi will try first to call LDAP as user database.
2012-02-25 23:45:20 +01:00
< / div > < / p >
< / p >
< / div >
2015-12-18 10:46:34 +01:00
<!-- EDIT4 SECTION "Configuration" [266 - 916] -->
2015-06-08 16:57:58 +02:00
< h3 class = "sectionedit5" id = "advanced_configuration" > Advanced configuration< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
The “Multi” system can :
< / p >
< ul >
< li class = "level1" > < div class = "li" > stack several times the same module with a different name< / div >
< / li >
2015-12-18 10:46:34 +01:00
< li class = "level1" > < div class = "li" > overload any < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > < a href = "../../documentation/1.9/parameterlist.html" class = "wikilink1" title = "documentation:1.9:parameterlist" > parameter< / a > when a specific backend is used< / div >
2012-02-25 23:45:20 +01:00
< / li >
< / ul >
< p >
< p > < div class = "notetip" > Overloading is not available trough the manager
< / div > < / p >
< / p >
< p >
2015-06-08 16:57:58 +02:00
To stack several times the same module, use “#name” with different names. Example:
2012-02-25 23:45:20 +01:00
< / p >
2015-12-18 10:46:34 +01:00
< pre class = "code" > multiAuthStack => LDAP#Openldap; LDAP#ActiveDirectory< / pre >
2012-02-25 23:45:20 +01:00
< p >
2015-12-18 10:46:34 +01:00
Then you can have different < a href = "../../documentation/1.9/parameterlist.html" class = "wikilink1" title = "documentation:1.9:parameterlist" > parameters< / a > for each stored in a Perl hash entry named multi:
2012-02-25 23:45:20 +01:00
< / p >
< pre class = "code perl" > multi < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'LDAP#Openldap'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
2015-12-18 10:46:34 +01:00
< span class = "st_h" > 'ldapServer'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'ldap1.example.com'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAPFilter'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '(uid=$user)'< / span > < span class = "sy0" > ,< / span >
2012-02-25 23:45:20 +01:00
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAP#ActiveDirectory'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
2015-12-18 10:46:34 +01:00
< span class = "st_h" > 'ldapServer'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'ldaps://ad.example.com'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAPFilter'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '(& (sAMAccountName=$user)(objectClass=person))'< / span > < span class = "sy0" > ,< / span >
2012-02-25 23:45:20 +01:00
< span class = "br0" > } < / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span > < / pre >
< p >
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
< / p >
< ul >
< li class = "level1" > < div class = "li" > for index.pl, set it in new():< / div >
< / li >
< / ul >
2015-06-08 16:57:58 +02:00
< pre class = "code perl" > < span class = "kw1" > my< / span > < span class = "re0" > $portal< / span > < span class = "sy0" > =< / span > Lemonldap< span class = "sy0" > ::< / span > < span class = "me2" > NG< / span > < span class = "sy0" > ::< / span > < span class = "me2" > Portal< / span > < span class = "sy0" > ::< / span > < span class = "me2" > SharedConf< / span > < span class = "sy0" > -> < / span > < span class = "kw2" > new< / span > < span class = "br0" > ( < / span > < span class = "br0" > { < / span >
2012-02-25 23:45:20 +01:00
multi < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'LDAP#Openldap'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
2015-12-18 10:46:34 +01:00
< span class = "st_h" > 'ldapServer'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'ldap1.example.com'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAPFilter'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '(uid=$user)'< / span > < span class = "sy0" > ,< / span >
2012-02-25 23:45:20 +01:00
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAP#ActiveDirectory'< / span > < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
2015-12-18 10:46:34 +01:00
< span class = "st_h" > 'ldapServer'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'ldaps://ad.example.com'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'LDAPFilter'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '(& (sAMAccountName=$user)(objectClass=person))'< / span > < span class = "sy0" > ,< / span >
2012-02-25 23:45:20 +01:00
< span class = "br0" > } < / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "br0" > ) < / span > < / pre >
< ul >
2015-12-18 10:46:34 +01:00
< li class = "level1" > < div class = "li" > or to use < code > lemonldap-ng.ini< / code > , install it (one line only) in [portal] section:< / div >
2012-02-25 23:45:20 +01:00
< / li >
< / ul >
< pre class = "code ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
2015-12-18 10:46:34 +01:00
< span class = "re1" > multi< / span > < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > 'LDAP#Openldap'< span class = "sy0" > =< / span > > < span class = "br0" > { < / span > 'ldapServer'< span class = "sy0" > =< / span > > 'ldap1.example.com','LDAPFilter'< span class = "sy0" > =< / span > > '< span class = "br0" > ( < / span > uid< span class = "sy0" > =< / span > $user< span class = "br0" > ) < / span > '< span class = "br0" > } < / span > ,'LDAP#ActiveDirectory'< span class = "sy0" > =< / span > > < span class = "br0" > { < / span > 'ldapServer'< span class = "sy0" > =< / span > > 'ldaps://ad.example.com','LDAPFilter'< span class = "sy0" > =< / span > > '< span class = "br0" > ( < / span > & < span class = "br0" > ( < / span > sAMAccountName< span class = "sy0" > =< / span > $user< span class = "br0" > ) < / span > < span class = "br0" > ( < / span > objectClass< span class = "sy0" > =< / span > person< span class = "br0" > ) < / span > < span class = "br0" > ) < / span > '< span class = "br0" > } < / span > < span class = "br0" > } < / span > < / span > < / pre >
2012-02-25 23:45:20 +01:00
< / div >
2015-12-18 10:46:34 +01:00
<!-- EDIT5 SECTION "Advanced configuration" [917 - 2560] -->
2015-06-08 16:57:58 +02:00
< h2 class = "sectionedit6" id = "known_problems" > Known problems< / h2 >
2012-02-25 23:45:20 +01:00
< div class = "level2" >
< / div >
2015-12-18 10:46:34 +01:00
<!-- EDIT6 SECTION "Known problems" [2561 - 2588] -->
2015-06-08 16:57:58 +02:00
< h3 class = "sectionedit7" id = "authapache_authentication" > AuthApache authentication< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
2015-06-08 16:57:58 +02:00
When using this module, < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
2013-07-21 18:37:21 +02:00
< / p >
< p >
2015-12-18 10:46:34 +01:00
To bypass this, follow the documentation of < a href = "../../documentation/1.9/authapache.html#use_kerberos_with_multiple_authentication_backend" class = "wikilink1" title = "documentation:1.9:authapache" > AuthApache module< / a >
2012-02-25 23:45:20 +01:00
< / p >
< / div >
2015-12-18 10:46:34 +01:00
<!-- EDIT7 SECTION "AuthApache authentication" [2589 - 2953] -->
2015-06-08 16:57:58 +02:00
< h3 class = "sectionedit8" id = "ssl_authentication" > SSL authentication< / h3 >
2012-02-25 23:45:20 +01:00
< div class = "level3" >
< p >
2015-06-08 16:57:58 +02:00
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
2012-02-25 23:45:20 +01:00
< / p >
< / div >
2015-06-08 16:57:58 +02:00
< / div > <!-- closes <div class="dokuwiki export"> -->