You have to use <code>Combination</code> as authentication module (users module must be set to “Same”). Then go in <code>Combination parameters</code> to :
</p>
<ul>
<liclass="level1"><divclass="li"> declare the modules that will be used</div>
</li>
<liclass="level1"><divclass="li"> set the rule chain</div>
<thclass="col0"> Name </th><thclass="col1"> Type </th><thclass="col2"> Scope </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0"> DB1 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> Auth only </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [811-889] -->
<p>
Usually, you can't declare two modules of the same type if they don't have the same parameters. For example, usually you can't declare a MySQL <abbrtitle="Database Interface">DBI</abbr> and a PostgreSQL <abbrtitle="Database Interface">DBI</abbr>, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if <abbrtitle="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
<thclass="col0"> Example </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0 leftalign"><code>[myLDAP] or [myDBI]</code></td><tdclass="col1"> If myLDAP fails, use myDBI </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code></td><tdclass="col1"> Try mySSL for auth and myLDAP for userDB. If fails, switch to myLDAP for both </td>
</tr>
<trclass="row3 rowodd">
<tdclass="col0 leftalign"><code>[myLDAP] or [myDBI1] or [myDBI2]</code></td><tdclass="col1"> Try myLDAP, then if it fails, myDBI1, then if it fails myDBI2 </td>
</tr>
<trclass="row4 roweven">
<tdclass="col0 leftalign"><code>[mySSL and myLDAP, myLDAP ]</code></td><tdclass="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [1757-2188] --><divclass="noteimportant">Note that “or” can't be used inside a scheme.
If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
<thclass="col0"> Example </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0 leftalign"><code>[myDBI1] and [myDBI2] or [myLDAP]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [2361-2605] --><divclass="noteimportant">You can't use brackets in a boolean expression and “and” has precedence on “or”.
<p>
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
</p>
</div>
</div>
<h4id="tests">Tests</h4>
<divclass="level4">
<p>
Test can use only the <code>$env</code> variable. It contains the FastCGI environment variables.
<thclass="col0"> Example </th><thclass="col1"> Explanation </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else [mySSL, myLDAP]</code></td><tdclass="col1"> If user doesn't come from 10.0.0.0/8 network, use SSL as authentication module </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code></td><tdclass="col1"> Chain tests </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2941-3263] --><divclass="noteimportant">Note that brackets can't be used except to enclose test.
<p>
If you wants to write <code>if(…) then if…</code>, you must write <code>if(not …) then … else if(…)…</code>
</p>
</div>
</div>
<h4id="let_s_be_crazy">Let's be crazy</h4>
<divclass="level4">
<p>
The following rule is valid:
</p>
<p>
<code>if($env→{REMOTE_ADDR} =~ /^192\./) then [mySSL, myLDAP] or [myLDAP] else [myLDAP and myDBI, myLDAP]</code>
Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using <code>combinationForms</code> in lemonldap-ng.ini. Example:
<ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML</a>, <ahref="authopenidconnect.html"class="wikilink1"title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS</a> or <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">old OpenID</a> can't be chained with a “and” for authentication part. So “[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> only but user must match an LDAP entry </td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
When using this module, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. So it can be used only with a “and” boolean expression.
<divclass="notetip">The new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos authentication module</a> solve this for Kerberos: you just have to use it instead of Apache and enable authentication by Ajax in Kerberos parameters.