manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadri Atalay <atalay.ka...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Fri, 06 May 2011 15:03:48 GMT
Hi Karl,

Tested, and it's working.

Thanks!

Kadri


On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddywri@gmail.com> wrote:

> I think yours was working because it was returning "cn=null,
> cn=users", which was a result of the fact that cn was null and the
> expression was assembled using the "+" operator.  When I separated the
> ldap escape out, it caused a null pointer exception to be thrown
> instead.  It should be fixed now.
>
> Karl
>
>
> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com>
> wrote:
> > Fyi. The file I sent you was returning usernotfound.
> >
> >
> > Sent from my iPhone
> >
> > On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:
> >
> >> It must mean we're somehow throwing an exception in the case where the
> >> user is missing.  I bet I know why - the CN lookup is failing instead.
> >> I'll see if I can change it.
> >>
> >> Karl
> >>
> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com>
> wrote:
> >>> It works, only difference I see with previous one is: if a domain is
> >>> reachable, message usernotfound makes a better indicator, somehow we
> lost
> >>> that.
> >>>
> >>>
> >>> C:\OPT>testauthority
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain
> "
> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
> "
> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>> Previous one
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com
> "
> >>> USERNOTFOUND:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa
> "
> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>> AUTHORIZED:TEQA-DC
> >>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> TOKEN:TEQA-DC:S-1-5-32-544
> >>> TOKEN:TEQA-DC:S-1-5-32-555
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
> >>> TOKEN:TEQA-DC:S-1-1-0
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com
> "
> >>> AUTHORIZED:TEQA-DC
> >>> TOKEN:TEQA-DC:S-1-5-32-545
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
> >>> TOKEN:TEQA-DC:S-1-1-0
> >>>
> >>> C:\OPT>curl
> >>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain
> "
> >>> UNREACHABLEAUTHORITY:TEQA-DC
> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
> >>>
> >>>
> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
> wrote:
> >>>>
> >>>> I've cleaned things up slightly to restore the objectSid and also to
> >>>> fix an infinite loop ifyou have more than one comma in the escape
> >>>> expression.  I've attached the file, can you see if it works?
> >>>>
> >>>> Thanks,
> >>>> Karl
> >>>>
> >>>>
> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
> wrote:
> >>>>> Thanks - we do need the user sid, so I will put that back.
> >>>>>
> >>>>> Also, I'd like to ask what you know about escaping the user name
in
> >>>>> this expression:
> >>>>>
> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+
> userName
> >>>>> + "))";
> >>>>>
> >>>>> It seems to me that there is probably some escaping needed, but
I
> >>>>> don't know what style.  Do you think it is the same (C-style, with
\
> >>>>> escape) as for the other case?
> >>>>>
> >>>>> Karl
> >>>>>
> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.kadri@gmail.com
> >
> >>>>> wrote:
> >>>>>> Hi Karl,
> >>>>>>
> >>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY returning
the
> >>>>>> memberGroups,
> >>>>>>
> >>>>>> C:\OPT>curl
> >>>>>>
> >>>>>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>>>>> AUTHORIZED:TEQA-DC
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
> >>>>>> 1212545812-2858578934-3563067286-1124
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>>>>> TOKEN:TEQA-DC:S-1-1-0
> >>>>>>
> >>>>>> but,
> >>>>>>
> >>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"}; is
> returning
> >>>>>> memberGroups AND SID for that user.
> >>>>>>
> >>>>>> C:\OPT>curl
> >>>>>>
> >>>>>> "
> http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com
> "
> >>>>>> AUTHORIZED:TEQA-DC
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
> >>>>>> TOKEN:TEQA-DC:S-1-1-0
> >>>>>>
> >>>>>> Since we are only interested in the member groups, tokenGroups
is
> >>>>>> sufficient, but if you also need user SID then you might keep
the
> >>>>>> objectSID
> >>>>>> as well.
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> Kadri
> >>>>>>
> >>>>>>
> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
> wrote:
> >>>>>>>
> >>>>>>> I am curious about the following change, which does not
seem
> correct:
> >>>>>>>
> >>>>>>>
> >>>>>>>     //Specify the attributes to return
> >>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
> >>>>>>> +    String returnedAtts[]={"tokenGroups"};
> >>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
> >>>>>>>
> >>>>>>> Karl
> >>>>>>>
> >>>>>>>
> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <
> atalay.kadri@gmail.com>
> >>>>>>> wrote:
> >>>>>>>> Karl,
> >>>>>>>>
> >>>>>>>> The ActiveDirectoryAuthority.java is attached.
> >>>>>>>>
> >>>>>>>> I'm not sure about clicking "Grant ASF License", or
how to do that
> >>>>>>>> from
> >>>>>>>> Tortoise.
> >>>>>>>> But, you got my consent for granting the ASF license.
> >>>>>>>>
> >>>>>>>> Thanks
> >>>>>>>>
> >>>>>>>> Kadri
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file to
> the
> >>>>>>>>> ticket if you prefer.  But you must click the "Grant
ASF License"
> >>>>>>>>> button.
> >>>>>>>>>
> >>>>>>>>> Karl
> >>>>>>>>>
> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
> >>>>>>>>> <atalay.kadri@gmail.com>
> >>>>>>>>> wrote:
> >>>>>>>>>> Karl,
> >>>>>>>>>>
> >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
> >>>>>>>>>> Do you know how to do this with Tortoise ?
> >>>>>>>>>> Otherwise, I can just send the source code directly
to you.
> >>>>>>>>>> BTW, there are some changes in the ParseUser
method also, you
> can
> >>>>>>>>>> see
> >>>>>>>>>> all
> >>>>>>>>>> when you run the diff.
> >>>>>>>>>>
> >>>>>>>>>> Thanks
> >>>>>>>>>>
> >>>>>>>>>> Kadri
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>
> >>>
> >
>

Mime
View raw message