Fallback authentication

Hello Icinga2 community,
while I did setup Icinga Web2, I decided to use LDAP as backend, which is working perfectly (User and Groups and permissions). Now I decided to configure a single User with another Ressource, just as a fallback in case of a LDAP maintaintance or if problem occurs.

So what I did is:
htdigest -c /etc/icingaweb2/.icingawebdigest “Icinga Web 2” fallback_user

in /etc/httpd/conf.d/icingaweb2.conf added:

<Directory “/usr/share/icingaweb2/public”>

AuthType digest
AuthName "Icinga Web 2"
AuthDigestProvider file
AuthUserFile /etc/icingaweb2/.icingawebdigest
Require valid-user fallback_user

in /etc/icingaweb2/roles.ini added:

[fallback_user]
users = "fallback_user"
permissions = "*"

in /etc/icingaweb2/authentication.ini added:

[autologin]
backend = external

Unfortunately still only the LDAP login works. At the IW2 I also can see the Ressources and Authentificaton and changing the order does not change anything either. Does somebody have a idea?

Version: IcingaWeb2-2.7

Many thanks in advance!

Hi,

external authentication mechanisms can’t be used as a fallback. They’re the ones who perform the authentication itself, and only provide Icinga Web 2 with the resulting identification.

If at all, you may configure the database authentication backend as a fallback. Or another LDAP backend. Only if Icinga Web 2 performs the authentication it has the chance to utilize multiple backends.

2 Likes

Thanks for the information, I did have not know that before. Now I solved it with a mysql-Database as fallback as described in: https://icinga.com/docs/icingaweb2/latest/doc/20-Advanced-Topics/#icinga-web-2-manual-setup

So for all folks in future which also did first configured LDAP as first authentication method at the setup routine, this the way to configure a mysql-Database as fallback afterwards.

Best regards
David

2 Likes