manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Two Active directory connections in Authority group
Date Fri, 31 Oct 2014 08:39:17 GMT
Hi Kambiz,

The Active Directory authority should be looking up a user in the active
directory domain you specify, and all its groups in that domain.  That will
include the groups that the user is in WITHIN THAT DOMAIN.  Since the first
matching rule based on the user's domain suffix is what will be used, with
the AD authority you can only send the query to ONE AD authority at this
time.

The problem with any other setup is that I can't see how you'd wind up with
documents whose access is in fact controlled by two separate domains.  MCF
has the structural ability to do this, but in order for you to take
advantage of it, your repository connection would have to have multiple
classes of acls being attached to documents, one class per authority (e.g.
internal access tokens and external access tokens).

Karl






On Fri, Oct 31, 2014 at 4:09 AM, Kambiz Niktabar <niktabar@yahoo.com> wrote:

> Hi again Karl,
>
> Just have another question. Here we have a scenario that groups in
> extranet AD domain have members from intranet AD domain. Is is any way to
> get those group being expanded and user see the documents given access to
> those groups?
>
> Regards
> Kambiz
>
>   ------------------------------
>  *From:* Kambiz Niktabar <niktabar@yahoo.com>
> *To:* Karl Wright <daddywri@gmail.com>; "user@manifoldcf.apache.org" <
> user@manifoldcf.apache.org>
> *Sent:* Tuesday, October 28, 2014 10:24 PM
>
> *Subject:* Re: Two Active directory connections in Authority group
>
> Hi Karl,
>
> Thanks a lot for the information. I added second AD domain to the same
> Active Directory authority and it works fine now :)
>
> Regards
> Kambiz
>
>
>
>  ------------------------------
>  *From:* Karl Wright <daddywri@gmail.com>
> *To:* "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>; Kambiz
> Niktabar <niktabar@yahoo.com>
> *Sent:* Tuesday, October 28, 2014 5:24 PM
> *Subject:* Re: Two Active directory connections in Authority group
>
> I should also add that it is really helpful for diagnosing problems of
> this kind to use curl, e.g.:
>
> curl
> http://localhost:8345/mcf-authority-service/UserACLs?user=kambiz@something.net
>
> ... and see what gets returned.  If you see DEAD_AUTHORITY in the list of
> acls, don't expect to see any documents from the associated authority group.
>
> Thanks,
> Karl
>
>
>
>
> On Tue, Oct 28, 2014 at 12:09 PM, Karl Wright <daddywri@gmail.com> wrote:
>
> Hi Kambiz,
>
> The Active Directory authority is not an "additive" authority, so you
> cannot use it within the same authorization group with other authorities,
> and expect it to work cumulatively.  The reason is that when there is a
> problem (e.g. user not found or server unreachable), the authority asserts
> the "DEAD_AUTHORITY" token, which effectively disables any documents from
> being returned.  This is necessary whenever the repository has a security
> model that has "deny" tokens, and that's the case for most repositories
> secured by Active Directory.
>
> For this reason, we long ago added the ability to have multiple Active
> Directory domains within the same Active Directory authority.  This is what
> you should use, since it will behave in the manner you expect.
>
> Thanks,
> Karl
>
>
> On Tue, Oct 28, 2014 at 11:35 AM, Kambiz Niktabar <niktabar@yahoo.com>
> wrote:
>
> Hello,
>
> I want to have two active directory connections (intranet and extranet AD)
> in one Authority group but it seems it’s not working as expected. I’m
> getting hits when I have only Intranet AD in the authority group and I got
> zero hits when I add Extranet AD into the same authority group
>
> I attached Solr log files for two scenarios.
>
> Regards
> Kambiz
>
>
>
>
>
>
>
>

Mime
View raw message