Hi, I have an issue where the user tries to login using credentials that include a windows domain in the userid attribute. for example: "MYDOMAIN\toby".
I'm not sure which layer should handle the domain part correctly, and I think it really depends on the setup. also, I'm not an AD expert and I don't know how the domain part would be used (selecting a "forest" in the AD server? or selecting a different AD server?). the problem especially comes up in SSO situations, where the LOGON_USER is passed over to a web application (e.g. sling) that then uses the repository. I can imagine the following scenarios: a) domain is constant/does not apply/or is a leftover from the SSO. so the repository does not (and never will) know about domains. b) domain is part of the userid, i.e. effectively selects a different user, but the same AD is used for all external accounts c) domain is part of the userid, but the domain also selects different ADs. Right now, the external login module does not handle the domain specifier specifically, so would behave like (b) - although I think that the user would not be found on the AD via LDAP the way it is currently built. Also, for a simple SSO setup, where the authentication module of the web app retrieves the LOGON_USER, I think the domain should be stripped there and not being included in the jcr credentials. so this basically boils down to the question: 1) should we implement special handling for windows domain specifiers in the login modules? 2) should we ignore windows domain and delegate this work to the JCR client? (e.g. the sling authentication handler should strip off the domain when building the jcr credentials) I think as long as the domain is not part of the user selection/authentication, we should do 2). WDYT? Regards, Toby
