1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:1.9:authapache</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,authapache"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authapache.html"/>
<link rel="contents" href="authapache.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:authapache","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div></li>
<li class="level2"><div class="li"><a href="#apache1">Apache</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#tips">Tips</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#kerberos">Kerberos</a></div></li>
<li class="level2"><div class="li"><a href="#compatibility_with_identity_provider_modules">Compatibility with Identity Provider modules</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="apache">Apache</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> ✔ </td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [22-79] -->
</div>
<!-- EDIT1 SECTION "Apache" [1-80] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can delegate authentication to Apache, so it is possible to use any <a href="http://httpd.apache.org/docs/current/howto/auth.html" class="urlextern" title="http://httpd.apache.org/docs/current/howto/auth.html" rel="nofollow">Apache authentication module</a>, for example Kerberos, Radius, OTP, etc.
</p>
<div class="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <abbr title="LemonLDAP::NG">LL::NG</abbr> to get authenticated user.
</div>
</div>
<!-- EDIT3 SECTION "Presentation" [81-463] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [464-490] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
<p>
In General Parameters > Authentication modules, choose <code>Apache</code> as authentication backend.
</p>
<p>
You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the <a href="authmulti.html" class="wikilink1" title="documentation:1.9:authmulti">Multiple authentication module</a>, for example:
</p>
<pre class="code">Apache;LDAP</pre>
<div class="notetip">In this case, the Apache authentication module should not require a valid user and not be authoritative, else Apache server will return an error and not let <abbr title="LemonLDAP::NG">LL::NG</abbr> Portal manage the failback authentication.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG" [491-1029] -->
<h3 class="sectionedit6" id="apache1">Apache</h3>
<div class="level3">
<p>
The Apache configuration depends on the module you choose, you need to look at the module documentation, for example:
</p>
<ul>
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">Kerberos</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" class="urlextern" title="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" rel="nofollow">NTLM</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://freeradius.org/mod_auth_radius/" class="urlextern" title="http://freeradius.org/mod_auth_radius/" rel="nofollow">Radius</a></div>
</li>
<li class="level1"><div class="li"> …</div>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Apache" [1030-1364] -->
<h2 class="sectionedit7" id="tips">Tips</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Tips" [1365-1382] -->
<h3 class="sectionedit8" id="kerberos">Kerberos</h3>
<div class="level3">
<p>
The Kerberos configuration is quite complex. You can find some configuration tips <a href="kerberos.html" class="wikilink1" title="documentation:1.9:kerberos">on this page</a>.
</p>
</div>
<!-- EDIT8 SECTION "Kerberos" [1383-1512] -->
<h3 class="sectionedit9" id="compatibility_with_identity_provider_modules">Compatibility with Identity Provider modules</h3>
<div class="level3">
<p>
When using IDP modules (like <abbr title="Central Authentication Service">CAS</abbr> or <abbr title="Security Assertion Markup Language">SAML</abbr>), the activation of Apache authentication can alter the operation. This is because the client often need to request directly the IDP, and the Apache authentication will block the request.
</p>
<p>
In this case, you can add in the Apache authentication module:
</p>
<pre class="code file apache"> <span class="kw1">Satisfy</span> any
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">allow</span> from APPLICATIONS_IP</pre>
<p>
This will bypass the authentication module for request from APPLICATIONS_<abbr title="Internet Protocol">IP</abbr>.
</p>
</div>
<!-- EDIT9 SECTION "Compatibility with Identity Provider modules" [1513-] --></div>
</body>
</html>
|
