dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0d47bd9d20
lemonldap-ng/doc/pages/documentation/1.9/authmulti.html
Clément Oudot 1b3063f271 Move documentation from 2.0 to 1.9
2015-12-18 09:46:34 +00:00

167 lines
8.6 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="multiple_backends_stack">Multiple backends stack</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1 centeralign"></td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [40-103] -->
</div>
<!-- EDIT1 SECTION "Multiple backends stack" [1-104] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
</p>
</div>
<!-- EDIT3 SECTION "Presentation" [105-265] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
</p>
<p>
For example:
</p>
<pre class="code">Authentication =&gt; Multi
Multi authentication stack =&gt; CAS;LDAP</pre>
<p>
If <abbr title="Central Authentication Service">CAS</abbr> failed, LDAP will be used.
</p>
<p>
You can also add a condition. Example:
</p>
<pre class="code">multiAuthStack =&gt; Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/&#039;</pre>
<p>
<p><div class="notetip">If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “<abbr title="Database Interface">DBI</abbr>;LDAP” and <abbr title="Database Interface">DBI</abbr> failed for authentication, Multi will try first to call LDAP as user database.
</div></p>
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [266-916] -->
<h3 class="sectionedit5" id="advanced_configuration">Advanced configuration</h3>
<div class="level3">
<p>
The “Multi” system can :
</p>
<ul>
<li class="level1"><div class="li"> stack several times the same module with a different name</div>
</li>
<li class="level1"><div class="li"> overload any <abbr title="LemonLDAP::NG">LL::NG</abbr> <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameter</a> when a specific backend is used</div>
</li>
</ul>
<p>
<p><div class="notetip">Overloading is not available trough the manager
</div></p>
</p>
<p>
To stack several times the same module, use “#name” with different names. Example:
</p>
<pre class="code">multiAuthStack =&gt; LDAP#Openldap; LDAP#ActiveDirectory</pre>
<p>
Then you can have different <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameters</a> for each stored in a Perl hash entry named multi:
</p>
<pre class="code perl">multi <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(&amp;(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span><span class="sy0">,</span></pre>
<p>
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
</p>
<ul>
<li class="level1"><div class="li"> for index.pl, set it in new():</div>
</li>
</ul>
<pre class="code perl"><span class="kw1">my</span> <span class="re0">$portal</span> <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">SharedConf</span><span class="sy0">-&gt;</span><span class="kw2">new</span><span class="br0">&#40;</span><span class="br0">&#123;</span>
multi <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(&amp;(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="br0">&#41;</span></pre>
<ul>
<li class="level1"><div class="li"> or to use <code>lemonldap-ng.ini</code>, install it (one line only) in [portal] section:</div>
</li>
</ul>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">multi</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span>'LDAP#Openldap'<span class="sy0">=</span>&gt;<span class="br0">&#123;</span>'ldapServer'<span class="sy0">=</span>&gt;'ldap1.example.com','LDAPFilter'<span class="sy0">=</span>&gt;'<span class="br0">&#40;</span>uid<span class="sy0">=</span>$user<span class="br0">&#41;</span>'<span class="br0">&#125;</span>,'LDAP#ActiveDirectory'<span class="sy0">=</span>&gt;<span class="br0">&#123;</span>'ldapServer'<span class="sy0">=</span>&gt;'ldaps://ad.example.com','LDAPFilter'<span class="sy0">=</span>&gt;'<span class="br0">&#40;</span>&amp;<span class="br0">&#40;</span>sAMAccountName<span class="sy0">=</span>$user<span class="br0">&#41;</span><span class="br0">&#40;</span>objectClass<span class="sy0">=</span>person<span class="br0">&#41;</span><span class="br0">&#41;</span>'<span class="br0">&#125;</span><span class="br0">&#125;</span></span></pre>
</div>
<!-- EDIT5 SECTION "Advanced configuration" [917-2560] -->
<h2 class="sectionedit6" id="known_problems">Known problems</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "Known problems" [2561-2588] -->
<h3 class="sectionedit7" id="authapache_authentication">AuthApache authentication</h3>
<div class="level3">
<p>
When using this module, <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
</p>
<p>
To bypass this, follow the documentation of <a href="../../documentation/1.9/authapache.html#use_kerberos_with_multiple_authentication_backend" class="wikilink1" title="documentation:1.9:authapache">AuthApache module</a>
</p>
</div>
<!-- EDIT7 SECTION "AuthApache authentication" [2589-2953] -->
<h3 class="sectionedit8" id="ssl_authentication">SSL authentication</h3>
<div class="level3">
<p>
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
</p>
</div>
</div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink