| Authentication | Users | Password |
|---|---|---|
| ✔ | ✔ |
This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
For example:
Multi CAS;LDAP
If CAS failed, LDAP will be used.
You can also add a condition. Example:
Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
The “Multi” system can :
To stack several times the same module, use ”#name” with different names. Example:
Multi LDAP#Openldap; LDAP#ActiveDirectory
Then you can have different parameters for each stored in a Perl hash entry named multi:
multi => { 'LDAP#Openldap' => { ldapServer => 'ldap1.example.com', LDAPFilter => '(uid=$user)', }, 'LDAP#ActiveDirectory' => { ldapServer => 'ldaps://ad.example.com', LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))', } },
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
my $portal = Lemonldap::NG::Portal::SharedConf->new({ multi => { 'LDAP#Openldap' => { ldapServer => 'ldap1.example.com', LDAPFilter => '(uid=$user)', }, 'LDAP#ActiveDirectory' => { ldapServer => 'ldaps://ad.example.com', LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))', } }, })
[portal] multi = {'LDAP#Openldap'=>{ldapServer=>'ldap1.example.com',LDAPFilter=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{ldapServer=>'ldaps://ad.example.com',LDAPFilter=>'(&(sAMAccountName=$user)(objectClass=person))'}}
When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
To bypass this, follow the documentation of AuthApache module
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.