manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadri Atalay <atalay.ka...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Thu, 05 May 2011 23:19:11 GMT
Fyi. The file I sent you was returning usernotfound.


Sent from my iPhone

On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:

> It must mean we're somehow throwing an exception in the case where the
> user is missing.  I bet I know why - the CN lookup is failing instead.
> I'll see if I can change it.
> 
> Karl
> 
> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
>> It works, only difference I see with previous one is: if a domain is
>> reachable, message usernotfound makes a better indicator, somehow we lost
>> that.
>> 
>> 
>> C:\OPT>testauthority
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> Previous one
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>> USERNOTFOUND:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> AUTHORIZED:TEQA-DC
>> TOKEN:TEQA-DC:S-1-5-32-545
>> TOKEN:TEQA-DC:S-1-5-32-544
>> TOKEN:TEQA-DC:S-1-5-32-555
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> TOKEN:TEQA-DC:S-1-1-0
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
>> AUTHORIZED:TEQA-DC
>> TOKEN:TEQA-DC:S-1-5-32-545
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>> TOKEN:TEQA-DC:S-1-1-0
>> 
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> 
>> 
>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>>> 
>>> I've cleaned things up slightly to restore the objectSid and also to
>>> fix an infinite loop ifyou have more than one comma in the escape
>>> expression.  I've attached the file, can you see if it works?
>>> 
>>> Thanks,
>>> Karl
>>> 
>>> 
>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>> Thanks - we do need the user sid, so I will put that back.
>>>> 
>>>> Also, I'd like to ask what you know about escaping the user name in
>>>> this expression:
>>>> 
>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName=" + userName
>>>> + "))";
>>>> 
>>>> It seems to me that there is probably some escaping needed, but I
>>>> don't know what style.  Do you think it is the same (C-style, with \
>>>> escape) as for the other case?
>>>> 
>>>> Karl
>>>> 
>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>> wrote:
>>>>> Hi Karl,
>>>>> 
>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY returning the
>>>>> memberGroups,
>>>>> 
>>>>> C:\OPT>curl
>>>>> 
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>> AUTHORIZED:TEQA-DC
>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>> TOKEN:TEQA-DC:S-1-5-21-
>>>>> 1212545812-2858578934-3563067286-1124
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>> 
>>>>> but,
>>>>> 
>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"}; is returning
>>>>> memberGroups AND SID for that user.
>>>>> 
>>>>> C:\OPT>curl
>>>>> 
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>> AUTHORIZED:TEQA-DC
>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>> 
>>>>> Since we are only interested in the member groups, tokenGroups is
>>>>> sufficient, but if you also need user SID then you might keep the
>>>>> objectSID
>>>>> as well.
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Kadri
>>>>> 
>>>>> 
>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
wrote:
>>>>>> 
>>>>>> I am curious about the following change, which does not seem correct:
>>>>>> 
>>>>>> 
>>>>>>     //Specify the attributes to return
>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>>>>>> +    String returnedAtts[]={"tokenGroups"};
>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>>>>>> 
>>>>>> Karl
>>>>>> 
>>>>>> 
>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>>>> wrote:
>>>>>>> Karl,
>>>>>>> 
>>>>>>> The ActiveDirectoryAuthority.java is attached.
>>>>>>> 
>>>>>>> I'm not sure about clicking "Grant ASF License", or how to do
that
>>>>>>> from
>>>>>>> Tortoise.
>>>>>>> But, you got my consent for granting the ASF license.
>>>>>>> 
>>>>>>> Thanks
>>>>>>> 
>>>>>>> Kadri
>>>>>>> 
>>>>>>> 
>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java file
to the
>>>>>>>> ticket if you prefer.  But you must click the "Grant ASF
License"
>>>>>>>> button.
>>>>>>>> 
>>>>>>>> Karl
>>>>>>>> 
>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>>>>>>> <atalay.kadri@gmail.com>
>>>>>>>> wrote:
>>>>>>>>> Karl,
>>>>>>>>> 
>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
>>>>>>>>> Do you know how to do this with Tortoise ?
>>>>>>>>> Otherwise, I can just send the source code directly to
you.
>>>>>>>>> BTW, there are some changes in the ParseUser method also,
you can
>>>>>>>>> see
>>>>>>>>> all
>>>>>>>>> when you run the diff.
>>>>>>>>> 
>>>>>>>>> Thanks
>>>>>>>>> 
>>>>>>>>> Kadri
>>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> 
>>>> 
>> 
>> 

Mime
View raw message