manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Fri, 06 May 2011 06:21:10 GMT
I agree we probably want a compatibility switch in the configuration
switch.  I'll create a ticket for that tomorrow morning, unless you
would like to do it first. ;-)

Karl

On Fri, May 6, 2011 at 1:44 AM, Shinichiro Abe
<shinichiro.abe.1@gmail.com> wrote:
> Hi.
>
> I ran test in my environment. It works well.
> I confirmed that it was improved about the S-1-1-0 problem, incorrect responses, and
implements by samAccountName.
> The test results are in attachments.
>
> One question:
> Size of samAccountName is specified as less than 20 characters.
> Size of Login Name is specified as over 20 characters(256).
> if a user does not support old version of OS and support only new version, it is hard
for ManifoldCF to restrict 20 characters of Login name, I think. Is it rare? Is it okay that
MCF always refers to samAccountName? It seems that we should add the compatible option.
>
> Thank you
> Shinichiro Abe
>
>
>
>
> On 2011/05/06, at 8:29, Karl Wright wrote:
>
>> I think yours was working because it was returning "cn=null,
>> cn=users", which was a result of the fact that cn was null and the
>> expression was assembled using the "+" operator.  When I separated the
>> ldap escape out, it caused a null pointer exception to be thrown
>> instead.  It should be fixed now.
>>
>> Karl
>>
>>
>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
>>> Fyi. The file I sent you was returning usernotfound.
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>
>>>> It must mean we're somehow throwing an exception in the case where the
>>>> user is missing.  I bet I know why - the CN lookup is failing instead.
>>>> I'll see if I can change it.
>>>>
>>>> Karl
>>>>
>>>> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com>
wrote:
>>>>> It works, only difference I see with previous one is: if a domain is
>>>>> reachable, message usernotfound makes a better indicator, somehow we
lost
>>>>> that.
>>>>>
>>>>>
>>>>> C:\OPT>testauthority
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>>>>> UNREACHABLEAUTHORITY:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
>>>>> UNREACHABLEAUTHORITY:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>>>> UNREACHABLEAUTHORITY:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>> Previous one
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>>>> USERNOTFOUND:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
>>>>> UNREACHABLEAUTHORITY:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>> AUTHORIZED:TEQA-DC
>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
>>>>> AUTHORIZED:TEQA-DC
>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>
>>>>> C:\OPT>curl
>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
>>>>> UNREACHABLEAUTHORITY:TEQA-DC
>>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>>>>
>>>>>
>>>>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
wrote:
>>>>>>
>>>>>> I've cleaned things up slightly to restore the objectSid and also
to
>>>>>> fix an infinite loop ifyou have more than one comma in the escape
>>>>>> expression.  I've attached the file, can you see if it works?
>>>>>>
>>>>>> Thanks,
>>>>>> Karl
>>>>>>
>>>>>>
>>>>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
wrote:
>>>>>>> Thanks - we do need the user sid, so I will put that back.
>>>>>>>
>>>>>>> Also, I'd like to ask what you know about escaping the user name
in
>>>>>>> this expression:
>>>>>>>
>>>>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+ userName
>>>>>>> + "))";
>>>>>>>
>>>>>>> It seems to me that there is probably some escaping needed, but
I
>>>>>>> don't know what style.  Do you think it is the same (C-style,
with \
>>>>>>> escape) as for the other case?
>>>>>>>
>>>>>>> Karl
>>>>>>>
>>>>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>>>>> wrote:
>>>>>>>> Hi Karl,
>>>>>>>>
>>>>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY returning
the
>>>>>>>> memberGroups,
>>>>>>>>
>>>>>>>> C:\OPT>curl
>>>>>>>>
>>>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>>>>> AUTHORIZED:TEQA-DC
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-
>>>>>>>> 1212545812-2858578934-3563067286-1124
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>>>>
>>>>>>>> but,
>>>>>>>>
>>>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
is returning
>>>>>>>> memberGroups AND SID for that user.
>>>>>>>>
>>>>>>>> C:\OPT>curl
>>>>>>>>
>>>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>>>>> AUTHORIZED:TEQA-DC
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>>>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>>>>
>>>>>>>> Since we are only interested in the member groups, tokenGroups
is
>>>>>>>> sufficient, but if you also need user SID then you might
keep the
>>>>>>>> objectSID
>>>>>>>> as well.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Kadri
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
wrote:
>>>>>>>>>
>>>>>>>>> I am curious about the following change, which does not
seem correct:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>     //Specify the attributes to return
>>>>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>>>>>>>>> +    String returnedAtts[]={"tokenGroups"};
>>>>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>>>>>>>>>
>>>>>>>>> Karl
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>> Karl,
>>>>>>>>>>
>>>>>>>>>> The ActiveDirectoryAuthority.java is attached.
>>>>>>>>>>
>>>>>>>>>> I'm not sure about clicking "Grant ASF License",
or how to do that
>>>>>>>>>> from
>>>>>>>>>> Tortoise.
>>>>>>>>>> But, you got my consent for granting the ASF license.
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> Kadri
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file to the
>>>>>>>>>>> ticket if you prefer.  But you must click the
"Grant ASF License"
>>>>>>>>>>> button.
>>>>>>>>>>>
>>>>>>>>>>> Karl
>>>>>>>>>>>
>>>>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>>>>>>>>>> <atalay.kadri@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Karl,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
>>>>>>>>>>>> Do you know how to do this with Tortoise
?
>>>>>>>>>>>> Otherwise, I can just send the source code
directly to you.
>>>>>>>>>>>> BTW, there are some changes in the ParseUser
method also, you can
>>>>>>>>>>>> see
>>>>>>>>>>>> all
>>>>>>>>>>>> when you run the diff.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>> Kadri
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>
>
>

Mime
View raw message