manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Wed, 04 May 2011 17:17:31 GMT
Hi again,

I did some research on S-1-1-0.  Microsoft reserves this and by their
documentation you cannot change whether an individual user is
considered a member of this group or not.  The only change they
mention to the behavior of this is that prior to Windows XP SP2,
anonymous users were considered to have S-1-1-0, while after Windows
XP SP2, they were not.  It is possible that there is a global
configuration setting for S-1-1-0 group affinity for ALL users, but I
haven't found any solid indication of that, either.


On Wed, May 4, 2011 at 11:26 AM, Karl Wright <> wrote:
> Hi Kadri,
> Shinichiro Abe has been using the Active Directory authority connector
> actively and successfully recently.  I've asked him to verify the
> change that I proposed for detecting the user-not-found condition more
> reliably.  I am still waiting for his response.
> The code would not be adding the S-1-1-0 group if it was being
> returned by Active Directory, but in my tests (now more than a year
> ago) on Windows Server 2000 and Windows Server 2003, it never did get
> returned.  And yet it was critically important, which is why I had no
> choice but to add it manually.
> Since it is a well-known group with a standard definition, there
> should be no concern that there would be a conflict.  The only
> potential issue could be that not all users have S-1-1-0.  I'd love to
> see any indication that this can ever be the case.  If so, there must
> be a way to detect this detail through LDAP, which we'd have to learn
> somehow.
> Karl

View raw message