| Authentication | Users | Password |
|---|---|---|
| ✔ | ✔ |
This backend allows one to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed…
You have to use Multiple as authentication modul (this will also force Multiple for the users module). Then go in Multiple parameters to define the modules to chain for authentication and users. Modules are separated by semi-colons/
For example:
CAS;LDAP
If CAS failed, LDAP will be used.
You can also add a condition. Example:
Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
DBI;LDAP and DBI failed for authentication, it will try first to call LDAP as user database.
The Multiple system can :
To stack several times the same module, use “#name” with different names. Example:
LDAP#Openldap; LDAP#ActiveDirectory
Then you can have different parameters for each stored in a Perl hash entry named multi:
multi => { 'LDAP#Openldap' => { 'ldapServer' => 'ldap1.example.com', 'LDAPFilter' => '(uid=$user)', }, 'LDAP#ActiveDirectory' => { 'ldapServer' => 'ldaps://ad.example.com', 'LDAPFilter' => '(&(sAMAccountName=$user)(objectClass=person))', } },
This key must be stored directly in lemonldap-ng.ini:
[portal] multi = {'LDAP#Openldap'=>{'ldapServer'=>'ldap1.example.com','LDAPFilter'=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{'ldapServer'=>'ldaps://ad.example.com','LDAPFilter'=>'(&(sAMAccountName=$user)(objectClass=person))'}}
When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
To bypass this, follow the documentation of AuthApache module
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
Here is a complex use case involving :
The URLs will be:
In this case, redirection script described in the kerberos configuration page is insufficient. You have to transfer every parameter in SAML request, so rather use this redirection script instead:
#!/usr/bin/perl use CGI ':cgi-lib'; use strict; use MIME::Base64; use CGI::Carp 'fatalsToBrowser'; my $uri = $ENV{"REDIRECT_URL"}; $uri .= "?".$ENV{"REDIRECT_QUERY_STRING"}; $uri =~ s/\/kerberos//; print CGI::header(-Refresh => '0; URL=https://auth.example.com'.$uri); exit(0);
You also have to make LemonLDAP::NG tolerant to the Path in order to have SAML request correctly detected. To do this, go in the manager, and configure the SAML Path (General Parameters > Issuer modules > SAML > Path) with a regular expression:
^/(kerberos/saml/|saml/)
Don't forget to configure your authentication modules accordingly. Especially the chained authentications: General Parameters > Authentication parameters > Multi parameters > Authentication stack string
SSL;Apache;LDAP
Finally, don't forget to configure the portal virtual host with all the authentication parameters needed. Take a special care to the added RewriteRule in the SAML issuer section:
<VirtualHost "*:443">
ServerName auth.example.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/auth.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/auth.example.com.key
SSLCertificateChainFile /etc/httpd/ssl/chain.pem
SSLVerifyClient optional
SSLCACertificateFile /etc/httpd/ssl/ca.crt
SSLVerifyDepth 10
SSLOptions +StdEnvVars
LogLevel warn
ErrorLog /var/log/httpd/error_log
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/portal/
<Directory /var/lib/lemonldap-ng/portal/>
Require all granted
Options +ExecCGI +FollowSymLinks
</Directory>
Alias /kerberos /var/lib/lemonldap-ng/portal/
<Location /kerberos>
Options +execCGI
ErrorDocument 401 /redirectKRB.pl
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
AuthName "REALM.COM"
KrbAuthRealms REALM.COM
Krb5KeyTab /etc/httpd/keytabs/auth.keytab
KrbVerifyKDC Off
KrbServiceName Any
Require valid-user
</Location>
[...]
# SAML2 Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
RewriteRule ^/kerberos/saml/.* /index.pl
</IfModule>
[...]
</VirtualHost>