1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="stack_multiple_backends_authmulti" id="stack_multiple_backends_authmulti">Stack multiple backends (AuthMulti)</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2"> </td>
</tr>
</table>
</div>
<!-- SECTION "Stack multiple backends (AuthMulti)" [1-109] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
This backend allows to chain authentication method, for example to failback to <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> authentication if Remote authentication failed…
</p>
</div>
<!-- SECTION "Presentation" [110-270] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
<p>
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
</p>
<p>
For example:
</p>
<pre class="code">
Multi CAS;LDAP
</pre>
<p>
If <acronym title="Central Authentication Service">CAS</acronym> failed, <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> will be used.
</p>
<p>
You can also add a condition. Example:
</p>
<pre class="code">
Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
</pre>
<p>
<p><div class="notetip">If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “<acronym title="Database Interface">DBI</acronym>;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym>” and <acronym title="Database Interface">DBI</acronym> failed for authentication, Multi will try first to call <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> as user database.
</div></p>
</p>
</div>
<!-- SECTION "Configuration" [271-849] -->
<h3><a name="advanced_configuration" id="advanced_configuration">Advanced configuration</a></h3>
<div class="level3">
<p>
The “Multi” system can :
</p>
<ul>
<li class="level1"><div class="li"> stack several times the same module with a different name</div>
</li>
<li class="level1"><div class="li"> overload any <acronym title="LemonLDAP::NG">LL::NG</acronym> <a href="../../documentation/1.3/parameterlist.html" class="wikilink1" title="documentation:1.3:parameterlist">parameter</a> when a specific backend is used</div>
</li>
</ul>
<p>
<p><div class="notetip">Overloading is not available trough the manager
</div></p>
</p>
<p>
To stack several times the same module, use ”#name” with different names. Example:
</p>
<pre class="code">
Multi LDAP#Openldap; LDAP#ActiveDirectory
</pre>
<p>
Then you can have different <a href="../../documentation/1.3/parameterlist.html" class="wikilink1" title="documentation:1.3:parameterlist">parameters</a> for each stored in a <acronym title="Practical Extraction and Report Language">Perl</acronym> hash entry named multi:
</p>
<pre class="code perl">multi <span class="sy0">=></span> <span class="br0">{</span>
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=></span> <span class="br0">{</span>
ldapServer <span class="sy0">=></span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
LDAPFilter <span class="sy0">=></span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
<span class="br0">}</span><span class="sy0">,</span>
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=></span> <span class="br0">{</span>
ldapServer <span class="sy0">=></span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
LDAPFilter <span class="sy0">=></span> <span class="st_h">'(&(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
<span class="br0">}</span>
<span class="br0">}</span><span class="sy0">,</span></pre>
<p>
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
</p>
<ul>
<li class="level1"><div class="li"> for index.pl, set it in new():</div>
</li>
</ul>
<pre class="code perl"><span class="kw1">my</span> <span class="re0">$portal</span> <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">SharedConf</span><span class="sy0">-></span><span class="me1">new</span><span class="br0">(</span><span class="br0">{</span>
multi <span class="sy0">=></span> <span class="br0">{</span>
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=></span> <span class="br0">{</span>
ldapServer <span class="sy0">=></span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
LDAPFilter <span class="sy0">=></span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
<span class="br0">}</span><span class="sy0">,</span>
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=></span> <span class="br0">{</span>
ldapServer <span class="sy0">=></span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
LDAPFilter <span class="sy0">=></span> <span class="st_h">'(&(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
<span class="br0">}</span>
<span class="br0">}</span><span class="sy0">,</span>
<span class="br0">}</span><span class="br0">)</span></pre>
<ul>
<li class="level1"><div class="li"> or to use lemonldap-ng.ini, install it (one line only) in [portal] section:</div>
</li>
</ul>
<pre class="code ini"><span class="re0"><span class="br0">[</span>portal<span class="br0">]</span></span>
<span class="re1">multi</span> <span class="sy0">=</span><span class="re2"> <span class="br0">{</span>'LDAP#Openldap'<span class="sy0">=</span>><span class="br0">{</span>ldapServer<span class="sy0">=</span>>'ldap1.example.com',LDAPFilter<span class="sy0">=</span>>'<span class="br0">(</span>uid<span class="sy0">=</span>$user<span class="br0">)</span>'<span class="br0">}</span>,'LDAP#ActiveDirectory'<span class="sy0">=</span>><span class="br0">{</span>ldapServer<span class="sy0">=</span>>'ldaps://ad.example.com',LDAPFilter<span class="sy0">=</span>>'<span class="br0">(</span>&<span class="br0">(</span>sAMAccountName<span class="sy0">=</span>$user<span class="br0">)</span><span class="br0">(</span>objectClass<span class="sy0">=</span>person<span class="br0">)</span><span class="br0">)</span>'<span class="br0">}</span><span class="br0">}</span></span></pre>
</div>
<!-- SECTION "Advanced configuration" [850-2452] -->
<h2><a name="known_problems" id="known_problems">Known problems</a></h2>
<div class="level2">
</div>
<!-- SECTION "Known problems" [2453-2480] -->
<h3><a name="authapache_authentication" id="authapache_authentication">AuthApache authentication</a></h3>
<div class="level3">
<p>
When using this module, <acronym title="LemonLDAP::NG">LL::NG</acronym> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
</p>
<p>
To bypass this, follow the documentation of <a href="../../documentation/1.3/authapache.html#use_kerberos_with_multiple_authentication_backend" class="wikilink1" title="documentation:1.3:authapache">AuthApache module</a>
</p>
</div>
<!-- SECTION "AuthApache authentication" [2481-2845] -->
<h3><a name="ssl_authentication" id="ssl_authentication">SSL authentication</a></h3>
<div class="level3">
<p>
To chain <acronym title="Secure Sockets Layer">SSL</acronym>, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by <acronym title="Secure Sockets Layer">SSL</acronym> only.
</p>
</div>
<!-- SECTION "SSL authentication" [2846-] --></div><!-- closes <div class="dokuwiki export">-->
|
