102 lines
2.4 KiB
ReStructuredText
102 lines
2.4 KiB
ReStructuredText
|
Apache
|
||
|
======
|
||
|
|
||
|
============== ===== ========
|
||
|
Authentication Users Password
|
||
|
============== ===== ========
|
||
|
✔
|
||
|
============== ===== ========
|
||
|
|
||
|
Presentation
|
||
|
------------
|
||
|
|
||
|
LL::NG can delegate authentication to Apache, so it is possible to use
|
||
|
any `Apache authentication
|
||
|
module <http://httpd.apache.org/docs/current/howto/auth.html>`__, for
|
||
|
example Kerberos, Radius, OTP, etc.
|
||
|
|
||
|
|
||
|
.. important::
|
||
|
|
||
|
To authenticate users using Kerberos, you can now use
|
||
|
the new :doc:`Kerberos authentication module<authkerberos>` which allow
|
||
|
one to chain Kerberos in a :doc:`combination<authcombination>`\
|
||
|
|
||
|
|
||
|
.. tip::
|
||
|
|
||
|
Apache authentication module will set the ``REMOTE_USER``
|
||
|
environment variable, which will be used by LL::NG to get authenticated
|
||
|
user.
|
||
|
|
||
|
Configuration
|
||
|
-------------
|
||
|
|
||
|
LL::NG
|
||
|
~~~~~~
|
||
|
|
||
|
In General Parameters > Authentication modules, choose ``Apache`` as
|
||
|
authentication backend.
|
||
|
|
||
|
You may want to failback to another authentication backend in case of
|
||
|
the Apache authentication fails. Use then the
|
||
|
:doc:`Multiple authentication module<authmulti>`, for example:
|
||
|
|
||
|
::
|
||
|
|
||
|
Apache;LDAP
|
||
|
|
||
|
|
||
|
.. tip::
|
||
|
|
||
|
In this case, the Apache authentication module should not
|
||
|
require a valid user and not be authoritative, else Apache server will
|
||
|
return an error and not let LL::NG Portal manage the failback
|
||
|
authentication.
|
||
|
|
||
|
.. _apache-1:
|
||
|
|
||
|
Apache
|
||
|
~~~~~~
|
||
|
|
||
|
The Apache configuration depends on the module you choose, you need to
|
||
|
look at the module documentation, for example:
|
||
|
|
||
|
- `Kerberos <http://modauthkerb.sourceforge.net/>`__
|
||
|
- `NTLM <http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm>`__
|
||
|
- `Radius <http://freeradius.org/mod_auth_radius/>`__
|
||
|
- ...
|
||
|
|
||
|
Tips
|
||
|
----
|
||
|
|
||
|
Kerberos
|
||
|
~~~~~~~~
|
||
|
|
||
|
The Kerberos configuration is quite complex. You can find some
|
||
|
configuration tips :doc:`on this page<kerberos>`.
|
||
|
|
||
|
|
||
|
.. tip::
|
||
|
|
||
|
Prefer new :doc:`Kerberos<authkerberos>` module.
|
||
|
|
||
|
Compatibility with Identity Provider modules
|
||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
|
||
|
When using IDP modules (like CAS or SAML), the activation of Apache
|
||
|
authentication can alter the operation. This is because the client often
|
||
|
need to request directly the IDP, and the Apache authentication will
|
||
|
block the request.
|
||
|
|
||
|
In this case, you can add in the Apache authentication module:
|
||
|
|
||
|
.. code:: apache
|
||
|
|
||
|
Satisfy any
|
||
|
Order allow,deny
|
||
|
allow from APPLICATIONS_IP
|
||
|
|
||
|
This will bypass the authentication module for request from
|
||
|
APPLICATIONS_IP.
|