[#10980] Create the possibility of two alternative authentication modules
Summary Create the possibility of two alternative authentication modules
Queue Horde Framework Packages
Queue Version Git master
Type Enhancement
State Feedback
Priority 1. Low
Requester c.denis@mrduck.fr
Created 2012-02-11 (3578 days ago)
Updated 2016-01-28 (2131 days ago)
Patch Yes

c.denis@mrduck.fr 2012-02-11 11:55:18
Dear Dev-Team,

if the format of my request/patch does not comply, please be patient 
with someone new to it. I will be happy to correct any mistakes 
pointed out.

This is a stacking auth module (cf. Horde_Auth_Composite), which 
allows to use two authentication modules. The main usecase is to 
either validate the pwd against two different backends, or to validate 
against at least one backend. (patch attached)

This is to facilitate the integration of a one-time-password scheme 
under development. The user would choose which password to enter 
(permanent vs. otp) and it could be processed.

An example configuration usecase would look like this:
$conf['auth']['driver'] = 'composite';
$conf['auth']['params']['admin_driver']['driver'] = 'sql';
$conf['auth']['params']['auth_driver']['driver'] = 'dual';
$conf['auth']['params']['auth_driver']['params']['single_validation'] = true;
$conf['auth']['params']['auth_driver']['params']['auth1_driver']['driver'] = 
$conf['auth']['params']['auth_driver']['params']['auth2_driver']['driver'] = 

Any feedback on implementations and/or enhancements very appreciated.

Best regards,

PS: Priority is medium, as I would like to build other features on top 
of this one. Please correct it, if it is too high.

Michael Slusarz <slusarz@horde.org> 2012-02-13 00:29:19
Reviewing this... my feeling is this is a bit too-site specific to be 
useful to maintain/distribute in the main code base.

I would be more receptive to a driver that allows a queue of 
authentication backends and would traverse the list of backends until 
authenticated.  But this would be a very simple looping idea: the 
'single_validation' config could not be a part of this. That is the 
part that is too site-specific (not to mention that this driver is 
lacking all details on how the admin auth methods would work).

The good news - this should be easy enough for you to maintain 
locally.  You just need to name your Auth class to something that can 
be autoloaded, and then just set $conf['auth']['driver'] in 
horde/config/conf.php to the full name of your Auth class (e.g. 

Jan Schneider <jan@horde.org> 2012-02-13 09:55:08
Even though this could be implemented locally, I think a stacked 
authentication driver would be a feature useful to others too, if 
implemented like Michael suggested. This could work similar to PAM 
allowing multiple authentication backends. Well, you could probably 
implement this if you used PAM authentication in Horde. :)

c.denis@mrduck.fr 2012-02-13 10:26:19
The idea to allow an arbitrary number of authentication modules (in an 
array for example) appeals to me:
$conf['auth']['driver'] = 'multiple_auth';
$conf['auth']['params']['subriver'] = array('module1' , 'module2' , 
'module3', ... )
But I see a Problem to nicely define the parameters to the subsequent 
modules, which would need to look something like the following 
incredibly long and complex line (nothing like the usual config style):
$conf['auth']['params']['subriver-conf'] = array('module1' => 
array('table' => horde_users', 'username_field' => 'user',... ), 
'module2' => array(), 'module3' => array());
Something like this can be realised by using this module multiple 
times and adding one authentication module per layer.

> But this would be a very simple looping idea: the 
> 'single_validation' config could not be a part of this.
I do not need this single_validation and added it in the hope to make 
it more general :) If there was to be a driver to choose from multiple 
authentication modules, one might as well want to validate the login 
in the local password cache, but get it confirmed by a befriended 
organisation. (external co-worker, who quits the organisation which 
dispatched him to my organisation, would see his account revoked or 

The one-time-password module I am working on, will only be published 
here soon. Though it would be possible to force users to always use a 
single-use password, I picture the use-case, where I have the 
permanent password saved in my browser on a trusted machine at home 
and only use the otp scheme when I am at an airport terminal. Using 
such an 'alternative' module would allow to use either authentication 
module without modifying the flow of the login mechanism.

> (not to mention that this driver is lacking all details on how the 
> admin auth methods would work)
This is because there already is a module providing this 
functionality: composite
My previous configuration example illustrates how these two modules 
would be combined to provide for admin methods and additionally allow 
multiple authentication modules.

I concede this could as well be implemented as an extention of the 
existing composite module. Would that seem more useful to you?

krause@biochem.mpg.de 2012-03-26 09:55:42
I am also very interested in this feature to be able to use two 
different base DN in an LDAP DIT! please feel free to contact me if I 
can do some testing.

Jan Schneider <jan@horde.org> 2016-01-28 16:45:36
This should indeed be a stack driver that's not limited to two 
authentication backends.