Multiple backends stack

Authentication	Users	Password
✔	✔

Presentation

This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…

Configuration

You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.

For example:

Authentication             => Multi
Multi authentication stack => CAS;LDAP

If CAS failed, LDAP will be used.

You can also add a condition. Example:

multiAuthStack => Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'

If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “DBI;LDAP” and DBI failed for authentication, Multi will try first to call LDAP as user database.

Advanced configuration

The “Multi” system can :

stack several times the same module with a different name
overload any LL::NG parameter when a specific backend is used

Overloading is not available trough the manager

To stack several times the same module, use “#name” with different names. Example:

multiAuthStack =>  LDAP#Openldap; LDAP#ActiveDirectory

Then you can have different parameters for each stored in a Perl hash entry named multi:

multi => {
    'LDAP#Openldap' => {
      'ldapServer' => 'ldap1.example.com',
      'LDAPFilter' => '(uid=$user)',
    },
    'LDAP#ActiveDirectory' => {
      'ldapServer' => 'ldaps://ad.example.com',
      'LDAPFilter' => '(&(sAMAccountName=$user)(objectClass=person))',
    }
},

This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:

for index.pl, set it in new():

my $portal = Lemonldap::NG::Portal::SharedConf->new({
multi => {
    'LDAP#Openldap' => {
      'ldapServer' => 'ldap1.example.com',
      'LDAPFilter' => '(uid=$user)',
    },
    'LDAP#ActiveDirectory' => {
      'ldapServer' => 'ldaps://ad.example.com',
      'LDAPFilter' => '(&(sAMAccountName=$user)(objectClass=person))',
    }
},
})

or to use lemonldap-ng.ini, install it (one line only) in [portal] section:

[portal]
multi = {'LDAP#Openldap'=>{'ldapServer'=>'ldap1.example.com','LDAPFilter'=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{'ldapServer'=>'ldaps://ad.example.com','LDAPFilter'=>'(&(sAMAccountName=$user)(objectClass=person))'}}

Known problems

AuthApache authentication

When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.

To bypass this, follow the documentation of AuthApache module

SSL authentication

To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.