JBoss.orgCommunity Documentation

Appendix A. Advanced Topics

In some circumstances a trusted payload may be applicable to authenticating in several membership domains or may be a secondary authentication method for a built-in LDAP membership domain.  In these situations a custom membership domain (intercepting domain) may be introduced at the beginning of the domain list to authenticate into other domains.  To achieve this, the SuccessfulAuthenticationToken returned by the intercepting domain should contain a fully qualified user name to a target domain.  

The interceptor domain may be solely focused on authentication.  If it only authenticates into other domains, then the interceptor domain may provide dummy implementations of the getGroupNames and getGroupNamesforUser methods.

Membership domains are not individual services that can be independently configured within a cluster, rather they are dependent upon Membership Service instances.  Each installed membership domain instance will be active on each MMProcess with a Membership Service.  

NOTE: Since the Membership Service cannot be restarted changes to membership domain configurations require bouncing the Teiid Server before taking effect.  It follows also that if a custom membership is not written to recover gracefully from connectivity or other environmental issues a server restart is required to re-initialize the membership domain.

It is recommended that customers who have utilized the internal JDBC membership domain from releases prior to MetaMatrix 5.5 migrate those users and groups to an LDAP compliant directory server.  Several free and open source directory servers can be used including:

The Fedora Directory Server http://directory.fedoraproject.org/

Open LDAP http://www.openldap.org/

Apache Directory Server http://directory.apache.org/

Implementations of the MembershipDomainInterface interface from releases prior to MetaMatrix 5.5 will need to be manually migrated to the new MembershipDomain interface.

If there are additional questions or the need for guidance in the migration process, please contact technical support.