The following steps present a simplified overview of the complex process through which an access token is generated:
- Step 1: User identity lookup
- Using the initial identity, the user is looked up in all configured authentication providers in the access zone, in the order in which they are listed. The user identity and group list are retrieved from the authenticating provider. Next, additional group memberships that are associated with the user and group list are looked up for all other authentication providers. All of these SIDs, UIDs, or GIDs are added to the initial token.
An exception to this behavior occurs if the AD provider is configured to call other providers, such as LDAP or NIS.
- Step 2: ID mapping
- The user's identifiers are associated across directory services. All SIDs are converted to their equivalent UID/GID and vice versa. These ID mappings are also added to the access token.
- Step 3: User mapping
- Access tokens from other directory services are combined. If the username matches any user mapping rules, the rules are processed in order and the token is updated accordingly.
- Step 4: On-disk identity calculation
- The default on-disk identity is calculated from the final token and the global setting. These identities are used for newly created files.