The Sophos Community will be unavailable from 13:00 to 18:00 UTC this Saturday, October 1st for upgrades. Stay tuned to our Twitter account @SophosSupport for updates.
The PureMessage multiple end user authentication packages allow you to configure the End User Web Interface (EUWI) to use more than one authentication handler. For example, multiple LDAP or Active Directory servers, or a mixture that involves some users authenticating via email session, others via flat file, etc.
Note: These instructions assume that you have already installed both the EUWI and the PureMessage Manager and that you are running the latest version of PureMessage.
To install the multi authenticator for the EUWI, along with a PureMessage Manager module that is used to configure the multi authenticator, run the following commands as the "pmx" user:
ppm install PureMessageX-Enduser-Auth-Multi ppm install PureMessageX-Manager-Enduser-Multi
ppm install PureMessageX-Enduser-Auth-Multi
ppm install PureMessageX-Manager-Enduser-Multi
Although authentication for the EUWI is usually configured via the End User Authentication page of the Quarantine tab in the PureMessage Manager, you must configure multiple authentication methods at the command line.
The configuration files necessary to set up multiple authentication methods differ depending on which methods you plan to use. If your methods include a session ID that is emailed to the user, or a password stored in a plain text file, you must include a section for each method in /opt/pmx/etc/enduser/auth.conf. LDAP authentication is configured in a separate file, and is described in "LDAP" below.
The sections in auth.conf should look similar to the following:
Session ID is emailed to user
<Authenticator email_session> <config> # This is only required if there is no enduser_url defined in enduser.conf # destination=http://localhost:28080/eu/index.cgi session_expire = 1w template = enduser/email-session.tmpl </config> description = SessionID is emailed to user module = PureMessage::Enduser::Auth::Authenticator::Email </Authenticator>
Password database is kept in plain text file
<Authenticator flat_file> <config> file = enduser/enduser_ui_user_passwords crypt = none </config> description = Password database is kept in a plain text file module = PureMessage::Enduser::Auth::Authenticator::FlatFile </Authenticator>
Any LDAP servers used for authentication are specified in a separate file (/opt/pmx/etc/enduser/auth.d/ldap.conf). You must configure a separate LDAP section for each LDAP server, and the sections must have unique names (ldap, ldap2, etc). Each section should look similar to the following:
<Authenticator ldap2> <config> dn_discovery = 1 attribute_mail = mail debug = 0 <ldap_server> ldap://localhost:389 </ldap_server> base_dn = dc=example,dc=com attribute_mail_index = 0 filter = (uid=%%username%%) </config> description = LDAP based authentication module = PureMessage::Enduser::Auth::Authenticator::LDAP </Authenticator>
For more about configuring individual LDAP options, see the ldap.conf man page.
Configure your multiple authentication sources by editing the /opt/etc/enduser/auth_multi.conf file and specifying your authentication handlers. Specify each authenticator on its own line as shown in the example below. The system will attempt to authenticate users against each handler in the order specified until it is successful, or until it runs out of handlers.
<authenticators> ldap flat_file ldap2 email_session </authenticators>
Once the multi authenticator is configured, you must also configure the EUWI to use multi authentication. To do this, edit the/opt/etc/enduser/enduser.conf, and locate the "auth=" option (which is likely near the end of the file). This line should be changed to"auth=multi".
Then run the following commands:
pmx-profile sync-to-db --resource=enduser_config --force pmx-profile sync-to-db --resource=enduser_ui_config --force pmx-manager restart pmx-httpd restart
Now, if you view the End User Authentication tab of the PureMessage Manager, Multi-Authentication is managed by command line configuration is the option selected. On the sidebar, click Multi Authenticator to view authentication settings in their order of precedence.
All errors and warning messages are written to the /opt/var/log/manager/httpd_error.log file. All items related to the multi authenticator are prefixed with the phrase "EU-MULTI-AUTH".
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.