@@ -268,18 +270,54 @@ The following rule is valid:
-
Known problems
+
Combine second factor
+
+
+
+Imagine you want to authenticate users either by SSL or LDAP+U2F, you can't directly write this rule: this is done in 2 steps:
+
+
+
use this combination rule: [SSL,LDAP] or [LDAP]
+
+
enable U2F with this rule: $_auth eq “LDAP” or $_authenticationLevel < 4(and adapt U2F authentication level)
+
+
+
+
+Now if you want to authenticate users either by LDAP or LDAP+U2F (to have 2 different authentication level), 2 possibilities:
+
+
+
configure 2 portals and overwrite U2F activation in the second
+
+
Modify login template to propose the choice (add a “submit” button that points to the second portal)
+
+
+
+
+
+
Display multiple forms
+
+
+
+Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using combinationForms in lemonldap-ng.ini. Example:
+
SAML, OpenID-Connect, CAS or old OpenID can't be chained with a “and” for authentication part. So “[SAML] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
-
+
Bad expression
Solution
Explanation
@@ -292,10 +330,10 @@ The following rule is valid:
[SAML] and [LDAP] or [LDAP]
[SAML, SAML and LDAP] or [LDAP]
Authentication is done by SAML or LDAP but user must match an LDAP entry
-
+
-
-
AuthApache authentication
+
+
AuthApache authentication
@@ -311,8 +349,8 @@ To bypass this, follow the documentation of
-