<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can delegate authentication to Apache, so it is possible to use any <ahref="http://httpd.apache.org/docs/current/howto/auth.html"class="urlextern"title="http://httpd.apache.org/docs/current/howto/auth.html"rel="nofollow">Apache authentication module</a>, for example Kerberos, Radius, OTP, etc.
</p>
<divclass="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> to get authenticated user.
In General Parameters > Authentication modules, choose <code>Apache</code> as authentication backend.
</p>
<p>
You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the <ahref="authmulti.html"class="wikilink1"title="documentation:2.0:authmulti">Multiple authentication module</a>, for example:
</p>
<preclass="code">Apache;LDAP</pre>
<divclass="notetip">In this case, the Apache authentication module should not require a valid user and not be authoritative, else Apache server will return an error and not let <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Portal manage the failback authentication.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG" [491-1029] -->
<h3class="sectionedit6"id="apache1">Apache</h3>
<divclass="level3">
<p>
The Apache configuration depends on the module you choose, you need to look at the module documentation, for example:
The Kerberos configuration is quite complex. You can find some configuration tips <ahref="kerberos.html"class="wikilink1"title="documentation:2.0:kerberos">on this page</a>.
</p>
</div>
<!-- EDIT8 SECTION "Kerberos" [1383-1512] -->
<h3class="sectionedit9"id="compatibility_with_identity_provider_modules">Compatibility with Identity Provider modules</h3>
<divclass="level3">
<p>
When using IDP modules (like <abbrtitle="Central Authentication Service">CAS</abbr> or <abbrtitle="Security Assertion Markup Language">SAML</abbr>), the activation of Apache authentication can alter the operation. This is because the client often need to request directly the IDP, and the Apache authentication will block the request.
</p>
<p>
In this case, you can add in the Apache authentication module:
</p>
<preclass="code file apache"><spanclass="kw1">Satisfy</span> any