395 lines
17 KiB
HTML
395 lines
17 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="fr" dir="ltr">
|
|
<head>
|
|
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:authcombination</title><!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else --><!-- //endif -->
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,authcombination"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="authcombination.html"/>
|
|
<link rel="contents" href="authcombination.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authcombination","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
|
|
//else -->
|
|
|
|
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script><!-- //endif -->
|
|
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container"><!-- TOC START -->
|
|
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#modules_declaration">Modules declaration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#rule_chain">Rule chain</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#boolean_expression">Boolean expression</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#tests">Tests</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#let_s_be_crazy">Let's be crazy</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level2"><div class="li"><a href="#combine_second_factor">Combine second factor</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#display_multiple_forms">Display multiple forms</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#known_problems">Problèmes connus</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#federation_protocols">Federation protocols</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#authapache_authentication">Auth::Apache authentication</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#ssl_authentication">Authentification SSL</a></div></li>
|
|
</ul></li>
|
|
</ul>
|
|
</div>
|
|
</div><!-- TOC END -->
|
|
|
|
|
|
<h1 class="sectionedit1" id="combination_of_authentication_schemes">Combination of authentication schemes</h1>
|
|
<div class="level1">
|
|
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Authentification </th><th class="col1 centeralign"> Utilisateurs </th><th class="col2 centeralign"> Mot-de-passe </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2 leftalign"> </td>
|
|
</tr>
|
|
</table></div><!-- EDIT2 TABLE [54-118] -->
|
|
|
|
</div><!-- EDIT1 SECTION "Combination of authentication schemes" [1-119] -->
|
|
|
|
<h2 class="sectionedit3" id="presentation">Présentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
|
|
This backend allows one to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
|
|
|
|
</p>
|
|
|
|
</div><!-- EDIT3 SECTION "Presentation" [120-284] -->
|
|
|
|
<h2 class="sectionedit4" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
|
|
You have to use <code>Combination</code> as authentication module (users module must be set to “Same”). Then go in <code>Combination parameters</code> to :
|
|
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> declare the modules that will be used</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> set the rule chain</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div><!-- EDIT4 SECTION "Configuration" [285-515] -->
|
|
|
|
<h3 class="sectionedit5" id="modules_declaration">Modules declaration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
|
|
Each module that will be used in combination rule must be declared. You must set:
|
|
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> the name used in the rule (a uniq string)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> the type (LDAP, <abbr title="Database Interface">DBI</abbr>,…)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> the scope:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> authentication and user DB</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> authentication only</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> user DB only</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Par exemple :
|
|
</p>
|
|
<div class="table sectionedit6"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0"> Nom </th><th class="col1"> Type </th><th class="col2"> Scope </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0"> DB1 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> Auth only </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> DB2 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> User DB only </td>
|
|
</tr>
|
|
</table></div><!-- EDIT6 TABLE [811-889] -->
|
|
|
|
<p>
|
|
|
|
Usually, you can't declare two modules of the same type if they don't have the same parameters. For example, usually you can't declare a MySQL <abbr title="Database Interface">DBI</abbr> and a PostgreSQL <abbr title="Database Interface">DBI</abbr>, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if <abbr title="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
|
|
|
|
</p>
|
|
|
|
</div><!-- EDIT5 SECTION "Modules declaration" [516-1303] -->
|
|
|
|
<h3 class="sectionedit7" id="rule_chain">Rule chain</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
|
|
Combination allows:
|
|
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> to chain schemes (example: <code>[LDAP] and [<abbr title="Database Interface">DBI</abbr>]</code>)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> to test different schemes (example: <code>[LDAP] or [<abbr title="Database Interface">DBI</abbr>]</code>)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> to choose authentication scheme depending on some request values</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
|
|
Each scheme must be enclose in <code>[]</code>. A comma separates auth and user DB modules. If only one value is set, the same is used for both.
|
|
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="boolean_expression">Boolean expression</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
|
|
Remember that schemes in rules are the names declared above.
|
|
|
|
</p>
|
|
<div class="table sectionedit8"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0"> Exemple </th><th class="col1"> Explanation </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 leftalign"> <code>[myLDAP] or [myDBI]</code> </td><td class="col1"> If myLDAP fails, use myDBI </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code> </td><td class="col1"> Try mySSL for auth and myLDAP for userDB. If fails, switch to myLDAP for both </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0 leftalign"> <code>[myLDAP] or [myDBI1] or [myDBI2]</code> </td><td class="col1"> Try myLDAP, then if it fails, myDBI1, then if it fails myDBI2 </td>
|
|
</tr>
|
|
<tr class="row4 roweven">
|
|
<td class="col0 leftalign"> <code>[mySSL and myLDAP, myLDAP ]</code> </td><td class="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
|
|
</tr>
|
|
</table></div><!-- EDIT8 TABLE [1757-2188] -->
|
|
<div class="noteimportant">Note that “or” can't be used inside a scheme.
|
|
If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
|
|
|
|
</div><div class="table sectionedit9"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0"> Exemple </th><th class="col1"> Explanation </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 leftalign"> <code>[myDBI1] and [myDBI2] or [myLDAP]</code> </td><td class="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> <code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code> </td><td class="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
|
|
</tr>
|
|
</table></div><!-- EDIT9 TABLE [2361-2605] -->
|
|
<div class="noteimportant">You can't use brackets in a boolean expression and “and” has precedence on “or”.
|
|
|
|
<p>
|
|
|
|
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
|
|
</p>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<h4 id="tests">Tests</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
|
|
Test can use only the <code>$env</code> variable. It contains the FastCGI environment variables.
|
|
|
|
</p>
|
|
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0"> Exemple </th><th class="col1"> Explanation </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0"> <code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else [mySSL, myLDAP]</code> </td><td class="col1"> If user doesn't come from 10.0.0.0/8 network, use SSL as authentication module </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> <code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code> </td><td class="col1"> Chain tests </td>
|
|
</tr>
|
|
</table></div><!-- EDIT10 TABLE [2941-3263] -->
|
|
<div class="noteimportant">Note that brackets can't be used except to enclose test.
|
|
|
|
<p>
|
|
|
|
If you wants to write <code>if(…) then if…</code>, you must write <code>if(not …) then … else if(…)…</code>
|
|
</p>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<h4 id="let_s_be_crazy">Let's be crazy</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
|
|
The following rule is valid:
|
|
|
|
</p>
|
|
|
|
<p>
|
|
<code>if($env→{REMOTE_ADDR} =~ /^192\./) then [mySSL, myLDAP] or [myLDAP] else [myLDAP and myDBI, myLDAP]</code>
|
|
</p>
|
|
|
|
</div><!-- EDIT7 SECTION "Rule chain" [1304-3610] -->
|
|
|
|
<h3 class="sectionedit11" id="combine_second_factor">Combine second factor</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
|
|
Imagine you want to authenticate users either by SSL or LDAP+U2F, you can't directly write this rule: this is done in 2 steps:
|
|
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> use this combination rule: <code>[SSL,LDAP] or [LDAP]</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> enable U2F with this rule: <code>$_auth eq “LDAP”</code> or <code>$_authenticationLevel < 4</code> <em>(and adapt U2F authentication level)</em></div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
|
|
Now if you want to authenticate users either by LDAP or LDAP+U2F <em>(to have 2 different authentication level)</em>, 2 possibilities:
|
|
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> configure 2 portals and overwrite U2F activation in the second</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Modify login template to propose the choice <em>(add a “submit” button that points to the second portal)</em></div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div><!-- EDIT11 SECTION "Combine second factor" [3611-4260] -->
|
|
|
|
<h3 class="sectionedit12" id="display_multiple_forms">Display multiple forms</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using <code>combinationForms</code> in lemonldap-ng.ini. Exemple :
|
|
</p>
|
|
<pre class="code :ini"><span class="re0"><span class="br0">[</span>portal<span class="br0">]</span></span>
|
|
<span class="re1">combinationForms</span> <span class="sy0">=</span><span class="re2"> standardform, openidform</span></pre>
|
|
|
|
</div><!-- EDIT12 SECTION "Display multiple forms" [4261-4589] -->
|
|
|
|
<h2 class="sectionedit13" id="known_problems">Problèmes connus</h2>
|
|
<div class="level2">
|
|
|
|
</div><!-- EDIT13 SECTION "Known problems" [4590-4617] -->
|
|
|
|
<h3 class="sectionedit14" id="federation_protocols">Federation protocols</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
<a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML</a>, <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS</a> or <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">old OpenID</a> can't be chained with a “and” for authentication part. So “[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
|
|
|
|
</p>
|
|
<div class="table sectionedit15"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Bad expression </th><th class="col1 centeralign"> Solution </th><th class="col2 centeralign"> Explanation </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0"> <em><code>[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP]</code></em> </td><td class="col1"> <code>[<abbr title="Security Assertion Markup Language">SAML</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> and LDAP]</code> </td><td class="col2"> Authentication is done by <abbr title="Security Assertion Markup Language">SAML</abbr> only but user must match an LDAP entry </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> <em><code>[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em> </td><td class="col1"> <code>[<abbr title="Security Assertion Markup Language">SAML</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code> </td><td class="col2"> Authentication is done by <abbr title="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
|
|
</tr>
|
|
</table></div><!-- EDIT15 TABLE [4917-5249] -->
|
|
|
|
</div><!-- EDIT14 SECTION "Federation protocols" [4618-5250] -->
|
|
|
|
<h3 class="sectionedit16" id="authapache_authentication">Auth::Apache authentication</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
En utilisant ce module, le portail <abbr title="LemonLDAP::NG">LL::NG</abbr> est appelé uniquement si Apache ne retourne pas “401 Authentication required”, aucune bascule n'est donc possible. So it can be used only with a “and” boolean expression.
|
|
</p>
|
|
<div class="notetip">The new <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos authentication module</a> solve this for Kerberos: you just have to use it instead of Apache and enable authentication by Ajax in Kerberos parameters.
|
|
|
|
</div>
|
|
<p>
|
|
|
|
Example: <code>[ Apache and LDAP, LDAP ]</code>
|
|
</p>
|
|
|
|
<p>
|
|
Pour outrepasser ceci, suivre la documentation du <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">module AuthApache</a>
|
|
</p>
|
|
|
|
</div><!-- EDIT16 SECTION "Auth::Apache authentication" [5251-5862] -->
|
|
|
|
<h3 class="sectionedit17" id="ssl_authentication">Authentification SSL</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Pour chaîner SSL, il est nécessaire de mettre “SSLRequire optional” dans le fichier de configuration Apache, sinon les utilisateurs ne seront authentifiés que par SSL.
|
|
</p>
|
|
|
|
</div><!-- EDIT17 SECTION "SSL authentication" [5863-] -->
|
|
</div>
|
|
</body>
|
|
</html>
|