Multiple backends stack

This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…

You have to use Multiple as authentication modul (this will also force Multiple for the users module). Then go in Multiple parameters to define the modules to chain for authentication and users. Modules are separated by semi-colons/

For example:

CAS;LDAP

If CAS failed, LDAP will be used.

You can also add a condition. Example:

Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'

The Multiple system can :

• stack several times the same module with a different name
• overload any LL::NG parameter when a specific backend is used

To stack several times the same module, use “#name” with different names. Example:

LDAP#Openldap; LDAP#ActiveDirectory

Then you can have different parameters for each stored in a Perl hash entry named multi:

multi => {
    'LDAP#Openldap' => {
      'ldapServer' => 'ldap1.example.com',
      'LDAPFilter' => '(uid=$user)',
    },
    'LDAP#ActiveDirectory' => {
      'ldapServer' => 'ldaps://ad.example.com',
      'LDAPFilter' => '(&(sAMAccountName=$user)(objectClass=person))',
    }
},

This key must be stored directly in lemonldap-ng.ini:

[portal]
multi = {'LDAP#Openldap'=>{'ldapServer'=>'ldap1.example.com','LDAPFilter'=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{'ldapServer'=>'ldaps://ad.example.com','LDAPFilter'=>'(&(sAMAccountName=$user)(objectClass=person))'}}

When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.

To bypass this, follow the documentation of AuthApache module

To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.