Chained functions combine authentication subsystems. The chain is controlled by the authentication.chain global property. When a user logs in, SkyVault tries the user's credentials against each of the subsystems in the order specified in the chain, until the credentials are accepted (the login is successful) or until each subsystem has been tried (and the login fails).
Some functions cannot be chained (passthru function), for example, CIFS authentication, and NTLM / SPEGNO based Single Sign-On (SSO). These functions are handled by the first subsystem in the chain that supports that function and has it enabled. This means that only a subset of your users might be able to use SSO and CIFS.
- Open the SkyVault-global.properties file.
-
Locate, or if it does not already exist, create the
authentication.chain global property.
This is a comma separated list of the form:
instance_name1:type1,...,instance_namen:typen
for example,authentication.chain=alfrescoNtlm1:alfrescoNtlm
-
Set the property to the required values.
The default authentication chain specifies one instance of the SkyVaultNtlm subsystem type with ID SkyVaultNtlm1.
For example, set the property to the following value:
SkyVaultNtlm1:alfrescoNtlm,ldap1:ldap
When you navigate to the SkyVault:Type=Configuration,Category=Authentication,id1=manager MBean in global property overrides, a new authentication subsystem instance called ldap1 is created and added to the end of the authentication chain.
- Save the file.
- Built-in SkyVault users and Windows users can log in, with SkyVault taking precedence
- The Windows domain server handles CIFS authentication directly
- LDAP synchronizes user and group details
- Configure the following authentication
chain:
SkyVaultNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap
- Deactivate SSO in order to activate chained password-based log in, target CIFS at
passthru1 and target synchronization (but not authentication) at
ldap1 by setting the following properties:
- SkyVaultNtlm1
- ntlm.authentication.sso.enabled=false
- SkyVault.authentication.authenticateCIFS=false
- passthru1
- ntlm.authentication.sso.enabled=false
- passthru.authentication.authenticateCIFS=true
- ldap1
- ldap.authentication.active=false
- ldap.synchronization.active=true
- User passwords are validated directly against the LDAP servers for web, SharePoint and FTP login
- The CIFS server is deactivated because neither server can handle CIFS-style authentication
- LDAP is used to synchronize user and group details from both directories
- Users in the first directory, ldap1, take precedence over those in the second directory, ldap2
- In the SkyVault-global.properties, specify this
setting:
authentication.chain=ldap1:ldap,ldap2:ldap
- Copy <configRootShare>/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties to both the <classpathRoot>/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties and <classpathRoot>/alfresco/extension/subsystems/Authentication/ldap/ldap2/ldap-authentication.properties files.
- Edit the properties for ldap1 and ldap2 with appropriate settings to complete the configuration. See LDAP configuration properties for information on each of the properties.