167 lines
8.6 KiB
HTML
167 lines
8.6 KiB
HTML
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
|
|
lang="en" dir="ltr">
|
|
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title></title>
|
|
<!-- metadata -->
|
|
<meta name="generator" content="Offline" />
|
|
<meta name="version" content="Offline 0.1" />
|
|
<!-- style sheet links -->
|
|
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
|
|
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
|
|
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
|
|
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export">
|
|
|
|
|
|
<h1 class="sectionedit1" id="multiple_backends_stack">Multiple backends stack</h1>
|
|
<div class="level1">
|
|
<div class="table sectionedit2"><table class="inline">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2"> </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT2 TABLE [40-103] -->
|
|
</div>
|
|
<!-- EDIT1 SECTION "Multiple backends stack" [1-104] -->
|
|
<h2 class="sectionedit3" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Presentation" [105-265] -->
|
|
<h2 class="sectionedit4" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
|
|
</p>
|
|
|
|
<p>
|
|
For example:
|
|
</p>
|
|
<pre class="code">Authentication => Multi
|
|
Multi authentication stack => CAS;LDAP</pre>
|
|
|
|
<p>
|
|
If <abbr title="Central Authentication Service">CAS</abbr> failed, LDAP will be used.
|
|
</p>
|
|
|
|
<p>
|
|
You can also add a condition. Example:
|
|
</p>
|
|
<pre class="code">multiAuthStack => Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'</pre>
|
|
|
|
<p>
|
|
<p><div class="notetip">If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “<abbr title="Database Interface">DBI</abbr>;LDAP” and <abbr title="Database Interface">DBI</abbr> failed for authentication, Multi will try first to call LDAP as user database.
|
|
</div></p>
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "Configuration" [266-916] -->
|
|
<h3 class="sectionedit5" id="advanced_configuration">Advanced configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The “Multi” system can :
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> stack several times the same module with a different name</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> overload any <abbr title="LemonLDAP::NG">LL::NG</abbr> <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameter</a> when a specific backend is used</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
<p><div class="notetip">Overloading is not available trough the manager
|
|
</div></p>
|
|
</p>
|
|
|
|
<p>
|
|
To stack several times the same module, use “#name” with different names. Example:
|
|
</p>
|
|
<pre class="code">multiAuthStack => LDAP#Openldap; LDAP#ActiveDirectory</pre>
|
|
|
|
<p>
|
|
Then you can have different <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameters</a> for each stored in a Perl hash entry named multi:
|
|
</p>
|
|
<pre class="code perl">multi <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'ldapServer'</span> <span class="sy0">=></span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=></span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
|
|
<span class="br0">}</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'ldapServer'</span> <span class="sy0">=></span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=></span> <span class="st_h">'(&(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
|
|
<span class="br0">}</span>
|
|
<span class="br0">}</span><span class="sy0">,</span></pre>
|
|
|
|
<p>
|
|
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> for index.pl, set it in new():</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code perl"><span class="kw1">my</span> <span class="re0">$portal</span> <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">SharedConf</span><span class="sy0">-></span><span class="kw2">new</span><span class="br0">(</span><span class="br0">{</span>
|
|
multi <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'ldapServer'</span> <span class="sy0">=></span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=></span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
|
|
<span class="br0">}</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=></span> <span class="br0">{</span>
|
|
<span class="st_h">'ldapServer'</span> <span class="sy0">=></span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
|
|
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=></span> <span class="st_h">'(&(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
|
|
<span class="br0">}</span>
|
|
<span class="br0">}</span><span class="sy0">,</span>
|
|
<span class="br0">}</span><span class="br0">)</span></pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> or to use <code>lemonldap-ng.ini</code>, install it (one line only) in [portal] section:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code ini"><span class="re0"><span class="br0">[</span>portal<span class="br0">]</span></span>
|
|
<span class="re1">multi</span> <span class="sy0">=</span><span class="re2"> <span class="br0">{</span>'LDAP#Openldap'<span class="sy0">=</span>><span class="br0">{</span>'ldapServer'<span class="sy0">=</span>>'ldap1.example.com','LDAPFilter'<span class="sy0">=</span>>'<span class="br0">(</span>uid<span class="sy0">=</span>$user<span class="br0">)</span>'<span class="br0">}</span>,'LDAP#ActiveDirectory'<span class="sy0">=</span>><span class="br0">{</span>'ldapServer'<span class="sy0">=</span>>'ldaps://ad.example.com','LDAPFilter'<span class="sy0">=</span>>'<span class="br0">(</span>&<span class="br0">(</span>sAMAccountName<span class="sy0">=</span>$user<span class="br0">)</span><span class="br0">(</span>objectClass<span class="sy0">=</span>person<span class="br0">)</span><span class="br0">)</span>'<span class="br0">}</span><span class="br0">}</span></span></pre>
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "Advanced configuration" [917-2560] -->
|
|
<h2 class="sectionedit6" id="known_problems">Known problems</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "Known problems" [2561-2588] -->
|
|
<h3 class="sectionedit7" id="authapache_authentication">AuthApache authentication</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
When using this module, <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
|
|
</p>
|
|
|
|
<p>
|
|
To bypass this, follow the documentation of <a href="../../documentation/1.9/authapache.html#use_kerberos_with_multiple_authentication_backend" class="wikilink1" title="documentation:1.9:authapache">AuthApache module</a>
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "AuthApache authentication" [2589-2953] -->
|
|
<h3 class="sectionedit8" id="ssl_authentication">SSL authentication</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
|
|
</p>
|
|
|
|
</div>
|
|
</div><!-- closes <div class="dokuwiki export">--> |