Help and Support - LDAP Authenticated Sitekit users being members of more than one group
Posted on 12 August 2014
Posted on 21 August 2014
I'm assuming that the authentication method you mention is the 3rd party one, which is the URL in the group rights that goes off and calls your locally installed ldapauth web service and then comes back with a yeah or nay and a group id.
Basically that web service method predated multiple group by about 3 years so it doesn't support anything other that a single group coming back. The web service itself only returns a single group even if the AD user belongs to multiple AD groups. However even if that web service was extended the 'Alternate authentication system' back in the group is only set to receive one.
So basically with your current system what you're wanting is not possible.
We have made changes to authentication in WIA environments and these have been deployed successfully. The one I'm thinking off uses WIA at IIS level to provide a non challenged login for the customers intranet users. The user is seamlessly authenticated against the local AD and then the AD user details are mapped to a local Sitekit user to provide persistence. Crucially the user is also added to any groups that match the exact naming of the relevant AD groups so multiple group access is possible.
Where a problem might occur with this architecture is its a deployed server and that its difficult in a WIA environment to then accommodate external (non AD) access to the same sites, we're just doing some work with the same customer on that at the moment.
There are other peripheral issues with WIA and the CMS that we are wroking through but If you want I can put you in touch with the relevant customer and you can see if the solution we put in for them would work for you.
Currently we're also looking at federated logins, WAAD with synchtool and ADFS2 for other customers but these are all at the early stages. We would be keen to work with you to get a good example of the 'holy grail of access' eg externally hosted, seamless non challenged internal access from AD in N3, password protected external access from outwith N3.