manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadri Atalay <atalay.ka...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Fri, 06 May 2011 22:24:04 GMT
Hi Karl,

While looking over AD access and attributes, I found that
"distinguishedName"
attribute contains all the information we need for TokenGroups search, in
the correct format ie:
"CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com";
and by using this attribute instead of CN, we don't need to build the
searchbase ourselves.

There are 2 advantages of using this attribute:
1- Even if the user is not part of users group (whatever the reason maybe)
we still get the results back, because his information is included in the
"distinguishedName" attribute.
2- We don't need to do treat any special characters like comma, etc.. (it's
already formatted).

I tested the code it works. Please see attached for the latest.

Thanks

Kadri

*Following is no longer needed:
    StringBuffer sb = new StringBuffer();
    sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,");
    sb.append(domainsb);*





On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.kadri@gmail.com>wrote:

> Hi Karl,
>
> Tested, and it's working.
>
> Thanks!
>
> Kadri
>
>
> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>
>> I think yours was working because it was returning "cn=null,
>> cn=users", which was a result of the fact that cn was null and the
>> expression was assembled using the "+" operator.  When I separated the
>> ldap escape out, it caused a null pointer exception to be thrown
>> instead.  It should be fixed now.
>>
>> Karl
>>
>>
>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> wrote:
>> > Fyi. The file I sent you was returning usernotfound.
>> >
>> >
>> > Sent from my iPhone
>> >
>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:
>> >
>> >> It must mean we're somehow throwing an exception in the case where the
>> >> user is missing.  I bet I know why - the CN lookup is failing instead.
>> >> I'll see if I can change it.
>> >>
>> >> Karl
>> >>
>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> wrote:
>> >>> It works, only difference I see with previous one is: if a domain is
>> >>> reachable, message usernotfound makes a better indicator, somehow we
>> lost
>> >>> that.
>> >>>
>> >>>
>> >>> C:\OPT>testauthority
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain
>> "
>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
>> "
>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>> Previous one
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
>> "
>> >>> USERNOTFOUND:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa
>> "
>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
>> "
>> >>> AUTHORIZED:TEQA-DC
>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> >>> TOKEN:TEQA-DC:S-1-1-0
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com
>> "
>> >>> AUTHORIZED:TEQA-DC
>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>> >>> TOKEN:TEQA-DC:S-1-1-0
>> >>>
>> >>> C:\OPT>curl
>> >>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain
>> "
>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>>
>> >>>
>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
>> wrote:
>> >>>>
>> >>>> I've cleaned things up slightly to restore the objectSid and also
to
>> >>>> fix an infinite loop ifyou have more than one comma in the escape
>> >>>> expression.  I've attached the file, can you see if it works?
>> >>>>
>> >>>> Thanks,
>> >>>> Karl
>> >>>>
>> >>>>
>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
>> wrote:
>> >>>>> Thanks - we do need the user sid, so I will put that back.
>> >>>>>
>> >>>>> Also, I'd like to ask what you know about escaping the user
name in
>> >>>>> this expression:
>> >>>>>
>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+
>> userName
>> >>>>> + "))";
>> >>>>>
>> >>>>> It seems to me that there is probably some escaping needed,
but I
>> >>>>> don't know what style.  Do you think it is the same (C-style,
with \
>> >>>>> escape) as for the other case?
>> >>>>>
>> >>>>> Karl
>> >>>>>
>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <
>> atalay.kadri@gmail.com>
>> >>>>> wrote:
>> >>>>>> Hi Karl,
>> >>>>>>
>> >>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY returning
the
>> >>>>>> memberGroups,
>> >>>>>>
>> >>>>>> C:\OPT>curl
>> >>>>>>
>> >>>>>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
>> "
>> >>>>>> AUTHORIZED:TEQA-DC
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
>> >>>>>> 1212545812-2858578934-3563067286-1124
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>> >>>>>>
>> >>>>>> but,
>> >>>>>>
>> >>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
is
>> returning
>> >>>>>> memberGroups AND SID for that user.
>> >>>>>>
>> >>>>>> C:\OPT>curl
>> >>>>>>
>> >>>>>> "
>> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
>> "
>> >>>>>> AUTHORIZED:TEQA-DC
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>> >>>>>>
>> >>>>>> Since we are only interested in the member groups, tokenGroups
is
>> >>>>>> sufficient, but if you also need user SID then you might
keep the
>> >>>>>> objectSID
>> >>>>>> as well.
>> >>>>>>
>> >>>>>> Thanks
>> >>>>>>
>> >>>>>> Kadri
>> >>>>>>
>> >>>>>>
>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
>> wrote:
>> >>>>>>>
>> >>>>>>> I am curious about the following change, which does
not seem
>> correct:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>     //Specify the attributes to return
>> >>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>> >>>>>>> +    String returnedAtts[]={"tokenGroups"};
>> >>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>> >>>>>>>
>> >>>>>>> Karl
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <
>> atalay.kadri@gmail.com>
>> >>>>>>> wrote:
>> >>>>>>>> Karl,
>> >>>>>>>>
>> >>>>>>>> The ActiveDirectoryAuthority.java is attached.
>> >>>>>>>>
>> >>>>>>>> I'm not sure about clicking "Grant ASF License",
or how to do
>> that
>> >>>>>>>> from
>> >>>>>>>> Tortoise.
>> >>>>>>>> But, you got my consent for granting the ASF license.
>> >>>>>>>>
>> >>>>>>>> Thanks
>> >>>>>>>>
>> >>>>>>>> Kadri
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
>> >>>>>>>> wrote:
>> >>>>>>>>>
>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file to
>> the
>> >>>>>>>>> ticket if you prefer.  But you must click the
"Grant ASF
>> License"
>> >>>>>>>>> button.
>> >>>>>>>>>
>> >>>>>>>>> Karl
>> >>>>>>>>>
>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>> >>>>>>>>> <atalay.kadri@gmail.com>
>> >>>>>>>>> wrote:
>> >>>>>>>>>> Karl,
>> >>>>>>>>>>
>> >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
>> >>>>>>>>>> Do you know how to do this with Tortoise
?
>> >>>>>>>>>> Otherwise, I can just send the source code
directly to you.
>> >>>>>>>>>> BTW, there are some changes in the ParseUser
method also, you
>> can
>> >>>>>>>>>> see
>> >>>>>>>>>> all
>> >>>>>>>>>> when you run the diff.
>> >>>>>>>>>>
>> >>>>>>>>>> Thanks
>> >>>>>>>>>>
>> >>>>>>>>>> Kadri
>> >>>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>
>> >>>
>> >
>>
>
>

Mime
View raw message