Access token generation

For most protocols, the access token is generated from the username or from the authorization data that is retrieved during authentication.

The following steps present a simplified overview of the complex process through which an access token is generated:

Step 1: User identity lookup
Using the initial identity, the user is looked up in all configured authentication providers in the access zone, in the order in which they are listed. The user identity and group list are retrieved from the authenticating provider. Next, additional group memberships that are associated with the user and group list are looked up for all other authentication providers. All of these SIDs, UIDs, or GIDs are added to the initial token.
Note Image

An exception to this behavior occurs if the AD provider is configured to call other providers, such as LDAP or NIS.

Step 2: ID mapping
The user's identifiers are associated across directory services. All SIDs are converted to their equivalent UID/GID and vice versa. These ID mappings are also added to the access token.
Step 3: User mapping
Access tokens from other directory services are combined. If the username matches any user mapping rules, the rules are processed in order and the token is updated accordingly.
Step 4: On-disk identity calculation
The default on-disk identity is calculated from the final token and the global setting. These identities are used for newly created files.