documentation:1.0:authmulti

Stack multiple backends (AuthMulti)

Authentication Users Password

This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…

You have to use "Multi" as authentication module. This scheme expect a parameter, which is the authentication chain.

For example:

Multi CAS;LDAP

If CAS failed, LDAP will be used.

You can also add a condition. Example:

Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
If Multi is used for authentication and user database, it will try to use the same module. Example, if you have "DBI;LDAP" and DBI failed for authentication, Multi will try first to call LDAP as user database.

The "Multi" system can :

  • stack several times the same module with a different name
  • overload any LL::NG parameter when a specific backend is used
Overloading is not available trough the manager

To stack several times the same module, use "#name" with different names. Example:

Multi LDAP#Openldap; LDAP#ActiveDirectory

Then you can have different parameters for each stored in a Perl hash entry named multi:

multi => {
    'LDAP#Openldap' => {
      ldapServer => 'ldap1.example.com',
      LDAPFilter => '(uid=$user)',
    },
    'LDAP#ActiveDirectory' => {
      ldapServer => 'ldaps://ad.example.com',
      LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))',
    }
},

This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:

  • for index.pl, set it in new():
my $portal = Lemonldap::NG::Portal::SharedConf->new({
multi => {
    'LDAP#Openldap' => {
      ldapServer => 'ldap1.example.com',
      LDAPFilter => '(uid=$user)',
    },
    'LDAP#ActiveDirectory' => {
      ldapServer => 'ldaps://ad.example.com',
      LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))',
    }
},
})
  • or to use lemonldap-ng.ini, install it (one line only) in [portal] section:
[portal]
multi = {'LDAP#Openldap'=>{ldapServer=>'ldap1.example.com',LDAPFilter=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{ldapServer=>'ldaps://ad.example.com',LDAPFilter=>'(&(sAMAccountName=$user)(objectClass=person))'}}

When using this module, LL::NG portal will be called only if Apache does not return "401 Authentication required", but this is not the Apache behaviour: if the auth module fails, Apache returns 401. We're studying a future solution for this…

To chain SSL, you have to set "SSLRequire optional" in Apache configuration, else users will be authenticated by SSL only.