Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:authapache [2019/01/15 15:55] (current)
Line 1: Line 1:
 +====== Apache======
 +
 +^  Authentication ​ ^  Users  ^  Password ​ ^
 +|  ✔  | | |
 +
 +===== Presentation =====
 +
 +LL::NG can delegate authentication to Apache, so it is possible to use any [[http://​httpd.apache.org/​docs/​current/​howto/​auth.html|Apache authentication module]], for example Kerberos, Radius, OTP, etc.
 +
 +<note important>​To authenticate users using Kerberos, you can now use the new [[authkerberos|Kerberos authentication module]] which allow one to chain Kerberos in a [[authcombination|combination]]</​note>​
 +
 +<note tip>​Apache authentication module will set the ''​REMOTE_USER''​ environment variable, which will be used by LL::NG to get authenticated user.</​note>​
 +
 +===== Configuration =====
 +
 +==== LL::​NG ​ ====
 +
 +In General Parameters > Authentication modules, choose ''​Apache''​ as authentication backend.
 +
 +You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the [[authmulti|Multiple authentication module]], for example:
 +<​code>​Apache;​LDAP</​code>​
 +
 +<note tip>In this case, the Apache authentication module should not require a valid user and not be authoritative,​ else Apache server will return an error and not let LL::NG Portal manage the failback authentication.</​note>​
 +
 +==== Apache ====
 +
 +The Apache configuration depends on the module you choose, you need to look at the module documentation,​ for example:
 +  * [[http://​modauthkerb.sourceforge.net/​|Kerberos]]
 +  * [[http://​search.cpan.org/​~speeves/​Apache2-AuthenNTLM-0.02/​AuthenNTLM.pm|NTLM]]
 +  * [[http://​freeradius.org/​mod_auth_radius/​|Radius]]
 +  * ...
 +
 +===== Tips =====
 +
 +==== Kerberos ====
 +
 +The Kerberos configuration is quite complex. You can find some configuration tips [[kerberos|on this page]].
 +
 +<note tip>​Prefer new [[authkerberos|Kerberos]] module.</​note>​
 +
 +==== Compatibility with Identity Provider modules ====
 +
 +When using IDP modules (like CAS or SAML), the activation of Apache authentication can alter the operation. This is because the client often need to request directly the IDP, and the Apache authentication will block the request.
 +
 +In this case, you can add in the Apache authentication module:
 +
 +<file apache>
 +      Satisfy any 
 +      Order allow,​deny ​
 +      allow from APPLICATIONS_IP
 +</​file>​
 +
 +This will bypass the authentication module for request from APPLICATIONS_IP.
 +