[commits] [Wiki] created: AuthCompositeHowToH3

Michael Slusarz slusarz at horde.org
Wed Mar 23 03:34:49 UTC 2011 

slusarz  Wed, 23 Mar 2011 03:34:49 +0000

Created page: http://wiki.horde.org/AuthCompositeHowToH3


----
+ Composite Authentication !HowTo

**Contents**
[[toc]]

The composite authentication driver allows to use different  
authentication and user management schemes for different purposes or  
circumstances.

You can define several authentication backends and selectively use one  
of them depending on some criteria:
* For instance, you can force mobiles of PDAs to  
((MIMPHowTo|authenticate with MIMP)).

Another use of the composite driver is to choose different drivers for  
authentication and user management:
* For instance you want to let IMP authenticate users against several  
possible email servers
* but you want to be able to manage users globally from a central user  
repository (such as a corporate SQL database)


++ Defining the several drivers

First you need to define all the drivers in {{config/conf.php}} that  
should be part of the composite driver. Each driver is configured like  
a "normal" authentication driver and associated with a sub-driver  
name. This name is completely independent with the authentication  
scheme.

Let's say you would configure an FTP authentication backend like this:

<code type="php">
$conf['auth']['driver'] = 'ftp';
$conf['auth']['params'] = array('hostspec' => '192.168.0.21',
                                 'port' => 21);
</code>

If you want to use that configuration in a composite driver, choose a  
name, say "intranet_ftp", and add this configuration to the "drivers"  
section of the composite driver parameters:

<code type="php">
$conf['auth']['driver'] = 'composite';
$conf['auth']['params']['drivers']['intranet_ftp']['driver'] = 'ftp';
$conf['auth']['params']['drivers']['intranet_ftp']['params'] = array(
     'hostspec' => '192.168.0.21',
     'port' => 21);
</code>

Let's configure a second authentication driver called "corporate_sql":

<code type="php">
$conf['auth']['driver'] = 'composite';
$conf['auth']['params']['drivers']['intranet_ftp']['driver'] = 'ftp';
$conf['auth']['params']['drivers']['intranet_ftp']['params'] = array(
     'hostspec' => '192.168.0.21',
     'port' => 21);
$conf['auth']['params']['drivers']['corporate_sql']['driver'] = 'sql';
$conf['auth']['params']['drivers']['corporate_sql']['params'] = array(
     'hostspec' => 'localhost',
     'phptype' => 'mysql',
     'protocol' => 'unix',
     'username' => 'dbuser',
     'password' => 'secret',
     'database' => 'coporate_users');
</code>

++ Defining the administration driver

In order to manage users you have to tell Horde which of the backends  
contains the user information and should be used for administration  
purposes. This driver is not only used by the Horde administrator to  
define system-wide user permissions and groups, but also by Horde  
users who want to define permissions on their shared objects (such as  
Kronolith calendars).

For example, to configure it to use "corporate_sql" as admin backend,  
add following line after the backend arrays:

<code type="php">
$conf['auth']['params']['admin_driver'] = 'corporate_sql';
</code>

++ Selecting the drivers

Next we need to select the correct drivers for the different purposes  
of the authentication API. The driver gets selected by the name we  
used in the last step. There are currently two possible switches for  
selecting a driver, the login screen switch and the user name switch:

+++ Selecting the login driver

The driver that is responsible for logging the user in, including  
providing the login screen and authenticating the user credentials, is  
selected by the "loginscreen_switch".

Let's take our sample from above and choose the "intranet_ftp" driver  
as the login driver:
<code type="php">
$conf['auth']['params']['loginscreen_switch'] = '_horde_select_loginscreen';
if (!function_exists('_horde_select_loginscreen')) {
     function _horde_select_loginscreen()
     {
         return 'intranet_ftp';
     }
}
</code>

+++ Selecting the login driver according to the domain name used to  
access Horde

In this example the driver is chosen depending on which server address  
was used to access Horde. We assume that the "'corporate_sql" users  
access via "sql.my-company.com" and the "intranet_ftp" users via   
"ftp.my-company.com"
<code type="php">
$conf['auth']['params']['loginscreen_switch'] = '_horde_select_loginscreen';
if (!function_exists('_horde_select_loginscreen')) {
     function _horde_select_loginscreen() {
        if ($_SERVER['SERVER_NAME'] == 'ftp.my-company.com') {
              return 'intranet_ftp';
        }
        return 'corporate_sql';
     }
}
</code>

More information about the commits mailing list