Tickets :: [#10980] Create the possibility of two alternative authentication modules

6.0.0-alpha10

5/14/25

Summary	Create the possibility of two alternative authentication modules
Queue	Horde Framework Packages
Queue Version	Git master
Type	Enhancement
State	Feedback
Priority	1. Low
Owners
Requester	c.denis (at) mrduck (dot) fr
Created	02/11/2012 (4841 days ago)
Due
Updated	01/28/2016 (3394 days ago)
Assigned
Resolved
Milestone
Patch	Yes

01/28/2016 04:45:36 PM	Jan Schneider	Comment #6	Reply to this comment
This should indeed be a stack driver that's not limited to two authentication backends.

03/26/2012 09:55:42 AM	krause (at) biochem (dot) mpg (dot) de	Comment #5	Reply to this comment
I am also very interested in this feature to be able to use two different base DN in an LDAP DIT! please feel free to contact me if I can do some testing.

02/13/2012 10:26:19 AM	c (dot) denis (at) mrduck (dot) fr	Comment #4	Reply to this comment
The idea to allow an arbitrary number of authentication modules (in an array for example) appeals to me: $conf['auth']['driver'] = 'multiple_auth'; $conf['auth']['params']['subriver'] = array('module1' , 'module2' , 'module3', ... ) But I see a Problem to nicely define the parameters to the subsequent modules, which would need to look something like the following incredibly long and complex line (nothing like the usual config style): $conf['auth']['params']['subriver-conf'] = array('module1' => array('table' => horde_users', 'username_field' => 'user',... ), 'module2' => array(), 'module3' => array()); Something like this can be realised by using this module multiple times and adding one authentication module per layer. But this would be a very simple looping idea: the 'single_validation' config could not be a part of this. I do not need this single_validation and added it in the hope to make it more general :) If there was to be a driver to choose from multiple authentication modules, one might as well want to validate the login in the local password cache, but get it confirmed by a befriended organisation. (external co-worker, who quits the organisation which dispatched him to my organisation, would see his account revoked or blocked) The one-time-password module I am working on, will only be published here soon. Though it would be possible to force users to always use a single-use password, I picture the use-case, where I have the permanent password saved in my browser on a trusted machine at home and only use the otp scheme when I am at an airport terminal. Using such an 'alternative' module would allow to use either authentication module without modifying the flow of the login mechanism. (not to mention that this driver is lacking all details on how the admin auth methods would work) This is because there already is a module providing this functionality: composite My previous configuration example illustrates how these two modules would be combined to provide for admin methods and additionally allow multiple authentication modules. I concede this could as well be implemented as an extention of the existing composite module. Would that seem more useful to you?

02/13/2012 09:55:08 AM	Jan Schneider	Comment #3	Reply to this comment
Even though this could be implemented locally, I think a stacked authentication driver would be a feature useful to others too, if implemented like Michael suggested. This could work similar to PAM allowing multiple authentication backends. Well, you could probably implement this if you used PAM authentication in Horde. :)

02/13/2012 12:29:19 AM	Michael Slusarz	Comment #2 State ⇒ Feedback Priority ⇒ 1. Low	Reply to this comment
Reviewing this... my feeling is this is a bit too-site specific to be useful to maintain/distribute in the main code base. I would be more receptive to a driver that allows a queue of authentication backends and would traverse the list of backends until authenticated. But this would be a very simple looping idea: the 'single_validation' config could not be a part of this. That is the part that is too site-specific (not to mention that this driver is lacking all details on how the admin auth methods would work). The good news - this should be easy enough for you to maintain locally. You just need to name your Auth class to something that can be autoloaded, and then just set $conf['auth']['driver'] in horde/config/conf.php to the full name of your Auth class (e.g. 'Horde_Auth_Foo').

02/11/2012 11:55:18 AM	c (dot) denis (at) mrduck (dot) fr	Comment #1 Priority ⇒ 2. Medium Type ⇒ Enhancement Summary ⇒ Create the possibility of two alternative authentication modules Queue ⇒ Horde Framework Packages Milestone ⇒ Patch ⇒ Yes New Attachment: 0001-dual-auth-module.patch State ⇒ New	Reply to this comment
Dear Dev-Team, if the format of my request/patch does not comply, please be patient with someone new to it. I will be happy to correct any mistakes pointed out. This is a stacking auth module (cf. Horde_Auth_Composite), which allows to use two authentication modules. The main usecase is to either validate the pwd against two different backends, or to validate against at least one backend. (patch attached) This is to facilitate the integration of a one-time-password scheme under development. The user would choose which password to enter (permanent vs. otp) and it could be processed. An example configuration usecase would look like this: $conf['auth']['driver'] = 'composite'; $conf['auth']['params']['admin_driver']['driver'] = 'sql'; $conf['auth']['params']['auth_driver']['driver'] = 'dual'; $conf['auth']['params']['auth_driver']['params']['single_validation'] = true; $conf['auth']['params']['auth_driver']['params']['auth1_driver']['driver'] = 'sql'; $conf['auth']['params']['auth_driver']['params']['auth2_driver']['driver'] = 'one-time-password-mechanism' Any feedback on implementations and/or enhancements very appreciated. Best regards, Carl PS: Priority is medium, as I would like to build other features on top of this one. Please correct it, if it is too high.