The PureMessage multiple end user authentication packages allow you to configure the End User Web Interface (EUWI) to use more than one authentication handler. For example, multiple LDAP or Active Directory servers, or a mixture that involves some users authenticating via email session, others via flat file, etc.
Note: These instructions assume that you have already installed both the EUWI and the PureMessage Manager and that you are running the latest version of PureMessage.
1. Installing the Multi-Authentication Packages
To install the multi authenticator for the EUWI, along with a PureMessage Manager module that is used to configure the multi authenticator, run the following commands as the "pmx" user:
ppm install PureMessageX-Enduser-Auth-Multi
ppm install PureMessageX-Manager-Enduser-Multi
2. Configuring Authentication Methods
Although authentication for the EUWI is usually configured via the End User Authentication page of the Quarantine tab in the PureMessage Manager, you must configure multiple authentication methods at the command line.
The configuration files necessary to set up multiple authentication methods differ depending on which methods you plan to use. If your methods include a session ID that is emailed to the user, or a password stored in a plain text file, you must include a section for each method in
/opt/pmx/etc/enduser/auth.conf. LDAP authentication is configured in a separate file, and is described in "LDAP" below.
The sections in
auth.conf should look similar to the following:
Session ID is emailed to user
# This is only required if there is no enduser_url defined
session_expire = 1w
template = enduser/email-session.tmpl
description = SessionID is emailed to user
module = PureMessage::Enduser::Auth::Authenticator::Email
Password database is kept in plain text file
file = enduser/enduser_ui_user_passwords
crypt = none
description = Password database is kept in a plain text file
module = PureMessage::Enduser::Auth::Authenticator::FlatFile
Any LDAP servers used for authentication are specified in a separate file (
/opt/pmx/etc/enduser/auth.d/ldap.conf). You must configure a separate LDAP section for each LDAP server, and the sections must have unique names (ldap, ldap2, etc). Each section should look similar to the following:
dn_discovery = 1
attribute_mail = mail
debug = 0
base_dn = dc=example,dc=com
attribute_mail_index = 0
filter = (uid=%%username%%)
description = LDAP based authentication
module = PureMessage::Enduser::Auth::Authenticator::LDAP
For more about configuring individual LDAP options, see the
ldap.conf man page.
3. Defining Multiple Authenticators
Configure your multiple authentication sources by editing the
/opt/etc/enduser/auth_multi.conf file and specifying your authentication handlers. Specify each authenticator on its own line as shown in the example below. The system will attempt to authenticate users against each handler in the order specified until it is successful, or until it runs out of handlers.
4. Configuring the End User Web Interface and PureMessage Manager
Once the multi authenticator is configured, you must also configure the EUWI to use multi authentication. To do this, edit the
/opt/etc/enduser/enduser.conf, and locate the "auth=" option (which is likely near the end of the file). This line should be changed to"auth=multi".
Then run the following commands:
pmx-profile sync-to-db --resource=enduser_config --force
pmx-profile sync-to-db --resource=enduser_ui_config --force
Now, if you view the End User Authentication tab of the PureMessage Manager, Multi-Authentication is managed by command line configuration is the option selected. On the sidebar, click Multi Authenticator to view authentication settings in their order of precedence.
All errors and warning messages are written to the
/opt/var/log/manager/httpd_error.log file. All items related to the multi authenticator are prefixed with the phrase "EU-MULTI-AUTH".