| Authentification | Utilisateurs | Mot-de-passe |
|---|---|---|
| ✔ | ✔ |
This backend allows one to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
You have to use Combination as authentication module (users module must be set to “Same”). Then go in Combination parameters to :
Each module that will be used in combination rule must be declared. You must set:
Par exemple :
| Nom | Type | Scope |
|---|---|---|
| DB1 | DBI | Auth only |
| DB2 | DBI | User DB only |
Usually, you can't declare two modules of the same type if they don't have the same parameters. For example, usually you can't declare a MySQL DBI and a PostgreSQL DBI, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if DBI is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
Combination allows:
[LDAP] and [DBI])[LDAP] or [DBI])
Each scheme must be enclose in []. A comma separates auth and user DB modules. If only one value is set, the same is used for both.
Remember that schemes in rules are the names declared above.
| Exemple | Explanation |
|---|---|
[myLDAP] or [myDBI] | If myLDAP fails, use myDBI |
[mySSL, myLDAP] or [myLDAP, myLDAP] | Try mySSL for auth and myLDAP for userDB. If fails, switch to myLDAP for both |
[myLDAP] or [myDBI1] or [myDBI2] | Try myLDAP, then if it fails, myDBI1, then if it fails myDBI2 |
[mySSL and myLDAP, myLDAP ] | Use mySSL and myLDAP to authentify, myLDAP to get user |
[mySSL, myLDAP] or [myLDAP, myLDAP]
| Exemple | Explanation |
|---|---|
[myDBI1] and [myDBI2] or [myLDAP] | Try myDBI1 and myDBI2, if it fails, try myLDAP |
[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2] | Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 |
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write [myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]
Test can use only the $env variable. It contains the FastCGI environment variables.
| Exemple | Explanation |
|---|---|
if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else [mySSL, myLDAP] | If user doesn't come from 10.0.0.0/8 network, use SSL as authentication module |
if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2] | Chain tests |
If you wants to write if(…) then if…, you must write if(not …) then … else if(…)…
The following rule is valid:
if($env→{REMOTE_ADDR} =~ /^192\./) then [mySSL, myLDAP] or [myLDAP] else [myLDAP and myDBI, myLDAP]
SAML, OpenID-Connect, CAS or old OpenID can't be chained with a “and” for authentication part. So “[SAML] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
| Bad expression | Solution | Explanation |
|---|---|---|
[SAML] and [LDAP] | [SAML, SAML and LDAP] | Authentication is done by SAML only but user must match an LDAP entry |
[SAML] and [LDAP] or [LDAP] | [SAML, SAML and LDAP] or [LDAP] | Authentication is done by SAML or LDAP but user must match an LDAP entry |
En utilisant ce module, le portail LL::NG est appelé uniquement si Apache ne retourne pas “401 Authentication required”, aucune bascule n'est donc possible. So Kerberos can be used only with a “and” boolean expression.
Example: [ Apache and LDAP, LDAP ]
Pour outrepasser ceci, suivre la documentation du module AuthApache
Pour chaîner SSL, il est nécessaire de mettre “SSLRequire optional” dans le fichier de configuration Apache, sinon les utilisateurs ne seront authentifiés que par SSL.