<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can delegate authentication to Apache, so it is possible to use any <ahref="http://httpd.apache.org/docs/current/howto/auth.html"class="urlextern"title="http://httpd.apache.org/docs/current/howto/auth.html"rel="nofollow">Apache authentication module</a>, for example Kerberos, Radius, OTP, etc.
<divclass="noteimportant">To authenticate users using Kerberos, you can now use the new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos authentication module</a> which allow to chain Kerberos in a <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">combination</a>
</div><divclass="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> to get authenticated user.
In General Parameters > Authentication modules, choose <code>Apache</code> as authentication backend.
</p>
<p>
You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the <ahref="authmulti.html"class="wikilink1"title="documentation:2.0:authmulti">Multiple authentication module</a>, for example:
</p>
<preclass="code">Apache;LDAP</pre>
<divclass="notetip">In this case, the Apache authentication module should not require a valid user and not be authoritative, else Apache server will return an error and not let <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Portal manage the failback authentication.
The Kerberos configuration is quite complex. You can find some configuration tips <ahref="kerberos.html"class="wikilink1"title="documentation:2.0:kerberos">on this page</a>.
<h3class="sectionedit9"id="compatibility_with_identity_provider_modules">Compatibility with Identity Provider modules</h3>
<divclass="level3">
<p>
When using IDP modules (like <abbrtitle="Central Authentication Service">CAS</abbr> or <abbrtitle="Security Assertion Markup Language">SAML</abbr>), the activation of Apache authentication can alter the operation. This is because the client often need to request directly the IDP, and the Apache authentication will block the request.
</p>
<p>
In this case, you can add in the Apache authentication module:
</p>
<preclass="code file apache"><spanclass="kw1">Satisfy</span> any