manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadri Atalay <atalay.ka...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Mon, 09 May 2011 20:47:22 GMT
Hi Karl,

*sAMAccountName* holds the logon name upto 20 chars, and
*userPrincipalName*holds the logon name upto 256 (including domain
name).

I made changes to accomodate both cases:  Please see attached file:

We can resolve this issue by making 2 calls to getDistinguishedName method
using different attributes.
First call is with sAMAccountName (supports only up to 20 chars)
If that fails, we can call again using userPrincipalName, up to 256 chars.

Configuration may be used if we don't want to make 2 calls for performance
reasons.

    //Get DistinguishedName (for this method we are using DomainPart as a
searchBase ie: DC=qa-ad-76,DC=metacarta,DC=com")
    //First call is for logon-name limited to 20 chars used with
sAMAccountName
    String userDN = getDistinguishedName(userPart, domainsb.toString(),
"sAMAccountName" );

    //Second call is for logon-name NOT limited to 20 chars used with
userPrincipalName
    if (userDN == null)
        userDN = getDistinguishedName(userName, domainsb.toString(),
"userPrincipalName");
    return userDN;

Following is the test results:

Thanks

Kadri


C:\OPT>echo follOWING users are the same

username 25 characters long

C:\OPT>curl "
http://localhost:8345/mcf-authority-service/UserACLs?username=1234567890123456789012345@teqa.filetek.com
"
AUTHORIZED:TEQA-DC
TOKEN:TEQA-DC:S-1-5-32-545
TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627
TOKEN:TEQA-DC:S-1-1-0

username 20 characters long

C:\OPT>curl "
http://localhost:8345/mcf-authority-service/UserACLs?username=12345678901234567890@teqa.filetek.com
"
AUTHORIZED:TEQA-DC
TOKEN:TEQA-DC:S-1-5-32-545
TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627
TOKEN:TEQA-DC:S-1-1-0

C:\OPT>

On Sun, May 8, 2011 at 10:19 AM, Karl Wright <daddywri@gmail.com> wrote:

> This looked very good, so I committed it as-is.  It does, however,
> invalidate Shinichiro's earlier patch for CONNECTORS-197.  Would you
> know what the login id field would be if the active directory instance
> does not have sAMAccountName?  Is it uid?
>
> Karl
>
> On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay <atalay.kadri@gmail.com>
> wrote:
> > Hi Karl,
> >
> > While looking over AD access and attributes, I found that
> > "distinguishedName"
> > attribute contains all the information we need for TokenGroups search, in
> > the correct format ie:
> > "CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com";
> > and by using this attribute instead of CN, we don't need to build the
> > searchbase ourselves.
> >
> > There are 2 advantages of using this attribute:
> > 1- Even if the user is not part of users group (whatever the reason
> maybe)
> > we still get the results back, because his information is included in the
> > "distinguishedName" attribute.
> > 2- We don't need to do treat any special characters like comma, etc..
> (it's
> > already formatted).
> >
> > I tested the code it works. Please see attached for the latest.
> >
> > Thanks
> >
> > Kadri
> >
> > Following is no longer needed:
> >     StringBuffer sb = new StringBuffer();
> >     sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,");
> >     sb.append(domainsb);
> >
> >
> >
> >
> >
> > On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.kadri@gmail.com>
> > wrote:
> >>
> >> Hi Karl,
> >>
> >> Tested, and it's working.
> >>
> >> Thanks!
> >>
> >> Kadri
> >>
> >>
> >> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddywri@gmail.com> wrote:
> >>>
> >>> I think yours was working because it was returning "cn=null,
> >>> cn=users", which was a result of the fact that cn was null and the
> >>> expression was assembled using the "+" operator.  When I separated the
> >>> ldap escape out, it caused a null pointer exception to be thrown
> >>> instead.  It should be fixed now.
> >>>
> >>> Karl
> >>>
> >>>
> >>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com>
> >>> wrote:
> >>> > Fyi. The file I sent you was returning usernotfound.
> >>> >
> >>> >
> >>> > Sent from my iPhone
> >>> >
> >>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com>
wrote:
> >>> >
> >>> >> It must mean we're somehow throwing an exception in the case where
> the
> >>> >> user is missing.  I bet I know why - the CN lookup is failing
> instead.
> >>> >> I'll see if I can change it.
> >>> >>
> >>> >> Karl
> >>> >>
> >>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <
> atalay.kadri@gmail.com>
> >>> >> wrote:
> >>> >>> It works, only difference I see with previous one is: if a
domain
> is
> >>> >>> reachable, message usernotfound makes a better indicator, somehow
> we
> >>> >>> lost
> >>> >>> that.
> >>> >>>
> >>> >>>
> >>> >>> C:\OPT>testauthority
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain
> "
> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
> "
> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>> Previous one
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
> "
> >>> >>> USERNOTFOUND:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa
> "
> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>> >>> AUTHORIZED:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> >>> TOKEN:TEQA-DC:S-1-5-32-544
> >>> >>> TOKEN:TEQA-DC:S-1-5-32-555
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
> >>> >>> TOKEN:TEQA-DC:S-1-1-0
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com
> "
> >>> >>> AUTHORIZED:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
> >>> >>> TOKEN:TEQA-DC:S-1-1-0
> >>> >>>
> >>> >>> C:\OPT>curl
> >>> >>>
> >>> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain
> "
> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>> >>>
> >>> >>>
> >>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
> >>> >>> wrote:
> >>> >>>>
> >>> >>>> I've cleaned things up slightly to restore the objectSid
and also
> to
> >>> >>>> fix an infinite loop ifyou have more than one comma in
the escape
> >>> >>>> expression.  I've attached the file, can you see if it
works?
> >>> >>>>
> >>> >>>> Thanks,
> >>> >>>> Karl
> >>> >>>>
> >>> >>>>
> >>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
> >>> >>>> wrote:
> >>> >>>>> Thanks - we do need the user sid, so I will put that
back.
> >>> >>>>>
> >>> >>>>> Also, I'd like to ask what you know about escaping
the user name
> in
> >>> >>>>> this expression:
> >>> >>>>>
> >>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+
> >>> >>>>> userName
> >>> >>>>> + "))";
> >>> >>>>>
> >>> >>>>> It seems to me that there is probably some escaping
needed, but I
> >>> >>>>> don't know what style.  Do you think it is the same
(C-style,
> with
> >>> >>>>> \
> >>> >>>>> escape) as for the other case?
> >>> >>>>>
> >>> >>>>> Karl
> >>> >>>>>
> >>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay
> >>> >>>>> <atalay.kadri@gmail.com>
> >>> >>>>> wrote:
> >>> >>>>>> Hi Karl,
> >>> >>>>>>
> >>> >>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY
returning the
> >>> >>>>>> memberGroups,
> >>> >>>>>>
> >>> >>>>>> C:\OPT>curl
> >>> >>>>>>
> >>> >>>>>>
> >>> >>>>>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>> >>>>>> AUTHORIZED:TEQA-DC
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
> >>> >>>>>> 1212545812-2858578934-3563067286-1124
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
> >>> >>>>>>
> >>> >>>>>> but,
> >>> >>>>>>
> >>> >>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
is
> >>> >>>>>> returning
> >>> >>>>>> memberGroups AND SID for that user.
> >>> >>>>>>
> >>> >>>>>> C:\OPT>curl
> >>> >>>>>>
> >>> >>>>>>
> >>> >>>>>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>> >>>>>> AUTHORIZED:TEQA-DC
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
> >>> >>>>>>
> >>> >>>>>> Since we are only interested in the member groups,
tokenGroups
> is
> >>> >>>>>> sufficient, but if you also need user SID then
you might keep
> the
> >>> >>>>>> objectSID
> >>> >>>>>> as well.
> >>> >>>>>>
> >>> >>>>>> Thanks
> >>> >>>>>>
> >>> >>>>>> Kadri
> >>> >>>>>>
> >>> >>>>>>
> >>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com
> >
> >>> >>>>>> wrote:
> >>> >>>>>>>
> >>> >>>>>>> I am curious about the following change, which
does not seem
> >>> >>>>>>> correct:
> >>> >>>>>>>
> >>> >>>>>>>
> >>> >>>>>>>     //Specify the attributes to return
> >>> >>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
> >>> >>>>>>> +    String returnedAtts[]={"tokenGroups"};
> >>> >>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
> >>> >>>>>>>
> >>> >>>>>>> Karl
> >>> >>>>>>>
> >>> >>>>>>>
> >>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay
> >>> >>>>>>> <atalay.kadri@gmail.com>
> >>> >>>>>>> wrote:
> >>> >>>>>>>> Karl,
> >>> >>>>>>>>
> >>> >>>>>>>> The ActiveDirectoryAuthority.java is attached.
> >>> >>>>>>>>
> >>> >>>>>>>> I'm not sure about clicking "Grant ASF
License", or how to do
> >>> >>>>>>>> that
> >>> >>>>>>>> from
> >>> >>>>>>>> Tortoise.
> >>> >>>>>>>> But, you got my consent for granting the
ASF license.
> >>> >>>>>>>>
> >>> >>>>>>>> Thanks
> >>> >>>>>>>>
> >>> >>>>>>>> Kadri
> >>> >>>>>>>>
> >>> >>>>>>>>
> >>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright
<
> daddywri@gmail.com>
> >>> >>>>>>>> wrote:
> >>> >>>>>>>>>
> >>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file
> to
> >>> >>>>>>>>> the
> >>> >>>>>>>>> ticket if you prefer.  But you must
click the "Grant ASF
> >>> >>>>>>>>> License"
> >>> >>>>>>>>> button.
> >>> >>>>>>>>>
> >>> >>>>>>>>> Karl
> >>> >>>>>>>>>
> >>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri
Atalay
> >>> >>>>>>>>> <atalay.kadri@gmail.com>
> >>> >>>>>>>>> wrote:
> >>> >>>>>>>>>> Karl,
> >>> >>>>>>>>>>
> >>> >>>>>>>>>> I'm using the Tortoise SVN, and
new to SVN..
> >>> >>>>>>>>>> Do you know how to do this with
Tortoise ?
> >>> >>>>>>>>>> Otherwise, I can just send the
source code directly to you.
> >>> >>>>>>>>>> BTW, there are some changes in
the ParseUser method also,
> you
> >>> >>>>>>>>>> can
> >>> >>>>>>>>>> see
> >>> >>>>>>>>>> all
> >>> >>>>>>>>>> when you run the diff.
> >>> >>>>>>>>>>
> >>> >>>>>>>>>> Thanks
> >>> >>>>>>>>>>
> >>> >>>>>>>>>> Kadri
> >>> >>>>>>>>>>
> >>> >>>>>>>>
> >>> >>>>>>>>
> >>> >>>>>>
> >>> >>>>>>
> >>> >>>>>
> >>> >>>
> >>> >>>
> >>> >
> >>
> >
> >
>

Mime
View raw message