Sitekit Forums

Sitekit Forums

Help and Support - LDAP Authenticated Sitekit users being members of more than one group

Mike Cave

Posted on 12 August 2014

Users who log in to our Intranet do so via LDAP Authentication, and so are members of Sitekit Group 'Domain Members'. For this group members are authenticated via a Web Service Authentication URL, set in the 'Alternate Authentication Methods' section of the group details. We also need to have a very small number of such users to be able to access a protected area on the Intranet - accessible currently to only a few, including members of Sitekit Group 'DHCI Board Members'. So we would like a small number of our users to be members of both 'Domain Members' and 'DHCI Board Members'. The nature of the protected area is such that the 'Domain Members' group is excluded - so we would want these few users to have 'DHCI Board Members' set as Master group with 'Domain members' as additional. I have tried for my own member entry to add in 'DHCI Board Members' and then set it to master. It lets me save, but it still acts as though 'Domain Members' is Master. While I'm editing my entry, the messsage 'This is a third-party Member, whose details are being derived from an external Member directory. Contact the administrator of the external Member directory if you wish to change any of this Member's properties.' shows - so is it possible to set my user account to be a member of both in the way that I need? This is functionality we we would really like to make use of, as it means users could log in via Windows authentication, and then be given extra privileges as and when needed.

Ian Stewart

AdminIan Stewart

Posted on 21 August 2014

Hi Mike,

I'm assuming that the authentication method you mention is the 3rd party one, which is the URL in the group rights that goes off and calls your locally installed ldapauth web service and then comes back with a yeah or nay and a group id.

Basically that web service method predated multiple group by about 3 years so it doesn't support anything other that a single group coming back. The web service itself only returns a single group even if the AD user belongs to multiple AD groups. However even if that web service was extended the 'Alternate authentication system' back in the group is only set to receive one.

So basically with your current system what you're wanting is not possible.

We have made changes to authentication in WIA environments and these have been deployed successfully. The one I'm thinking off uses WIA at IIS level to provide a non challenged login for the customers intranet users. The user is seamlessly authenticated against the local AD and then the AD user details are mapped to a local Sitekit user to provide persistence. Crucially the user is also added to any groups that match the exact naming of the relevant AD groups so multiple group access is possible.

Where a problem might occur with this architecture is its a deployed server and that its difficult in a WIA environment to then accommodate external (non AD) access to the same sites, we're just doing some work with the same customer on that at the moment.

There are other peripheral issues with WIA and the CMS that we are wroking through but If you want I can put you in touch with the relevant customer and you can see if the solution we put in for them would work for you.

Currently we're also looking at federated logins, WAAD with synchtool and ADFS2 for other customers but these are all at the early stages. We would be keen to work with you to get a good example of the 'holy grail of access' eg externally hosted, seamless non challenged internal access from AD in N3, password protected external access from outwith N3.