6.0.0-git
2018-12-09
Last Modified 2011-03-23 by Michael Slusarz

Composite Authentication HowTo

Contents

The composite authentication driver allows to use different authentication and user management schemes for different purposes or circumstances.

You can define several authentication backends and selectively use one of them depending on some criteria:

Another use of the composite driver is to choose different drivers for authentication and user management:

  • For instance you want to let IMP authenticate users against several possible email servers
  • but you want to be able to manage users globally from a central user repository (such as a corporate SQL database)

Defining the several drivers

First you need to define all the drivers in config/conf.php that should be part of the composite driver. Each driver is configured like a "normal" authentication driver and associated with a sub-driver name. This name is completely independent with the authentication scheme.

Let's say you would configure an FTP authentication backend like this:

$conf['auth']['driver'] = 'ftp';
$conf['auth']['params'] = array('hostspec' => '192.168.0.21',
                                'port' => 21);

If you want to use that configuration in a composite driver, choose a name, say "intranet_ftp", and add this configuration to the "drivers" section of the composite driver parameters:

$conf['auth']['driver'] = 'composite';
$conf['auth']['params']['drivers']['intranet_ftp']['driver'] = 'ftp';
$conf['auth']['params']['drivers']['intranet_ftp']['params'] = array(
    'hostspec' => '192.168.0.21',
    'port' => 21);

Let's configure a second authentication driver called "corporate_sql":

$conf['auth']['driver'] = 'composite';
$conf['auth']['params']['drivers']['intranet_ftp']['driver'] = 'ftp';
$conf['auth']['params']['drivers']['intranet_ftp']['params'] = array(
    'hostspec' => '192.168.0.21',
    'port' => 21);
$conf['auth']['params']['drivers']['corporate_sql']['driver'] = 'sql';
$conf['auth']['params']['drivers']['corporate_sql']['params'] = array(
    'hostspec' => 'localhost',
    'phptype' => 'mysql',
    'protocol' => 'unix',
    'username' => 'dbuser',
    'password' => 'secret',
    'database' => 'coporate_users');

Defining the administration driver

In order to manage users you have to tell Horde which of the backends contains the user information and should be used for administration purposes. This driver is not only used by the Horde administrator to define system-wide user permissions and groups, but also by Horde users who want to define permissions on their shared objects (such as Kronolith calendars).

For example, to configure it to use "corporate_sql" as admin backend, add following line after the backend arrays:

$conf['auth']['params']['admin_driver'] = 'corporate_sql';

Selecting the drivers

Next we need to select the correct drivers for the different purposes of the authentication API. The driver gets selected by the name we used in the last step. There are currently two possible switches for selecting a driver, the login screen switch and the user name switch:

Selecting the login driver

The driver that is responsible for logging the user in, including providing the login screen and authenticating the user credentials, is selected by the "loginscreen_switch".

Let's take our sample from above and choose the "intranet_ftp" driver as the login driver:

$conf['auth']['params']['loginscreen_switch'] = '_horde_select_loginscreen';
if (!function_exists('_horde_select_loginscreen')) {
    function _horde_select_loginscreen()
    {
        return 'intranet_ftp';
    }
}

Selecting the login driver according to the domain name used to access Horde

In this example the driver is chosen depending on which server address was used to access Horde. We assume that the "'corporate_sql" users access via "sql.my-company.com" and the "intranet_ftp" users via "ftp.my-company.com"

$conf['auth']['params']['loginscreen_switch'] = '_horde_select_loginscreen';
if (!function_exists('_horde_select_loginscreen')) {
    function _horde_select_loginscreen() {
       if ($_SERVER['SERVER_NAME'] == 'ftp.my-company.com') {
             return 'intranet_ftp';
       }
       return 'corporate_sql';
    }
}