manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Thu, 05 May 2011 23:12:34 GMT
It must mean we're somehow throwing an exception in the case where the
user is missing.  I bet I know why - the CN lookup is failing instead.
 I'll see if I can change it.

Karl

On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
> It works, only difference I see with previous one is: if a domain is
> reachable, message usernotfound makes a better indicator, somehow we lost
> that.
>
>
> C:\OPT>testauthority
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
> UNREACHABLEAUTHORITY:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
> UNREACHABLEAUTHORITY:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
> UNREACHABLEAUTHORITY:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
> Previous one
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
> USERNOTFOUND:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
> UNREACHABLEAUTHORITY:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
> AUTHORIZED:TEQA-DC
> TOKEN:TEQA-DC:S-1-5-32-545
> TOKEN:TEQA-DC:S-1-5-32-544
> TOKEN:TEQA-DC:S-1-5-32-555
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
> TOKEN:TEQA-DC:S-1-1-0
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
> AUTHORIZED:TEQA-DC
> TOKEN:TEQA-DC:S-1-5-32-545
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
> TOKEN:TEQA-DC:S-1-1-0
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
> UNREACHABLEAUTHORITY:TEQA-DC
> TOKEN:TEQA-DC:DEAD_AUTHORITY
>
>
> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>>
>> I've cleaned things up slightly to restore the objectSid and also to
>> fix an infinite loop ifyou have more than one comma in the escape
>> expression.  I've attached the file, can you see if it works?
>>
>> Thanks,
>> Karl
>>
>>
>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com> wrote:
>> > Thanks - we do need the user sid, so I will put that back.
>> >
>> > Also, I'd like to ask what you know about escaping the user name in
>> > this expression:
>> >
>> > String searchFilter = "(&(objectClass=user)(sAMAccountName=" + userName
>> > + "))";
>> >
>> > It seems to me that there is probably some escaping needed, but I
>> > don't know what style.  Do you think it is the same (C-style, with \
>> > escape) as for the other case?
>> >
>> > Karl
>> >
>> > On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> > wrote:
>> >> Hi Karl,
>> >>
>> >>     String returnedAtts[]={"tokenGroups"} is ONLY returning the
>> >> memberGroups,
>> >>
>> >> C:\OPT>curl
>> >>
>> >> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> >> AUTHORIZED:TEQA-DC
>> >> TOKEN:TEQA-DC:S-1-5-32-545
>> >> TOKEN:TEQA-DC:S-1-5-32-544
>> >> TOKEN:TEQA-DC:S-1-5-32-555
>> >> TOKEN:TEQA-DC:S-1-5-21-
>> >> 1212545812-2858578934-3563067286-1124
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >> TOKEN:TEQA-DC:S-1-1-0
>> >>
>> >> but,
>> >>
>> >> -    String returnedAtts[] = {"tokenGroups","objectSid"}; is returning
>> >> memberGroups AND SID for that user.
>> >>
>> >> C:\OPT>curl
>> >>
>> >> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> >> AUTHORIZED:TEQA-DC
>> >> TOKEN:TEQA-DC:S-1-5-32-545
>> >> TOKEN:TEQA-DC:S-1-5-32-544
>> >> TOKEN:TEQA-DC:S-1-5-32-555
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> >> TOKEN:TEQA-DC:S-1-1-0
>> >>
>> >> Since we are only interested in the member groups, tokenGroups is
>> >> sufficient, but if you also need user SID then you might keep the
>> >> objectSID
>> >> as well.
>> >>
>> >> Thanks
>> >>
>> >> Kadri
>> >>
>> >>
>> >> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com> wrote:
>> >>>
>> >>> I am curious about the following change, which does not seem correct:
>> >>>
>> >>>
>> >>>     //Specify the attributes to return
>> >>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>> >>> +    String returnedAtts[]={"tokenGroups"};
>> >>>     searchCtls.setReturningAttributes(returnedAtts);
>> >>>
>> >>> Karl
>> >>>
>> >>>
>> >>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> >>> wrote:
>> >>> > Karl,
>> >>> >
>> >>> > The ActiveDirectoryAuthority.java is attached.
>> >>> >
>> >>> > I'm not sure about clicking "Grant ASF License", or how to do that
>> >>> > from
>> >>> > Tortoise.
>> >>> > But, you got my consent for granting the ASF license.
>> >>> >
>> >>> > Thanks
>> >>> >
>> >>> > Kadri
>> >>> >
>> >>> >
>> >>> > On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> You may attach the whole ActiveDirectoryAuthority.java file
to the
>> >>> >> ticket if you prefer.  But you must click the "Grant ASF License"
>> >>> >> button.
>> >>> >>
>> >>> >> Karl
>> >>> >>
>> >>> >> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>> >>> >> <atalay.kadri@gmail.com>
>> >>> >> wrote:
>> >>> >> > Karl,
>> >>> >> >
>> >>> >> > I'm using the Tortoise SVN, and new to SVN..
>> >>> >> > Do you know how to do this with Tortoise ?
>> >>> >> > Otherwise, I can just send the source code directly to
you.
>> >>> >> > BTW, there are some changes in the ParseUser method also,
you can
>> >>> >> > see
>> >>> >> > all
>> >>> >> > when you run the diff.
>> >>> >> >
>> >>> >> > Thanks
>> >>> >> >
>> >>> >> > Kadri
>> >>> >> >
>> >>> >
>> >>> >
>> >>
>> >>
>> >
>
>

Mime
View raw message