Hi Silvio,

The "domain" argument to the authority service does not represent an Active Directory domain.  It represents an MCF authorization domain, which is described in the book and also in the other documentation.  This cannot be used as an active directory domain.

>>>>>>
Unfortuanately, the elasticsearch plugin for Apache ManifoldCF authentication service does not allow one to hand over a username in the form of the user principal name, e.g.msi@ourdomian.com. This is due to the fact that the @ sign is not allowed to be encoded in the user name.
<<<<<<

That's pretty surprising; the plugin has no character limits I am aware of for user names, and I wrote it.  Perhaps you simply need to use proper URL encoding practices in forming the URL you are invoking ElasticSearch with?

Karl


On Sun, May 15, 2016 at 11:39 AM, Silvio Meier <silvio.r.meier@quantentunnel.de> wrote:
Hi Apache ManifoldCF user list
 
I’m experimenting with Apache ManifoldCF 2.3, Elasticsearch 1.74 and the corresponding Elasticsearch plugin (v 2.0.1) which I use to index the network Windows shares of our company.
I set up Apache Manifold using authorization services together with an Active Directory.
 
Using the Apache ManifoldCF authentication services with separated domain name and user name does somehow not work for our active directory configuration, so the when the following service call is made http://localhost:8081/mcf-authority-service/UserACLs?username=msi&domain=ourdomain.com , the authentication service does not return any ACL list. I tried to do different combinations of domain names or netbios names together with user names. Or just username without domain name. No success!
 
However, the only thing that is working is when calling the authorization service with http://localhost:8081/mcf-authority-service/UserACLs?username=msi@ourdomain.com , i.e., using the user principal name as username.  In this case the service returns the correct set of ACLs.
 
Unfortuanately, the elasticsearch plugin for Apache ManifoldCF authentication service does not allow one to hand over a username in the form of the user principal name, e.g. msi@ourdomian.com. This is due to the fact that the @ sign is not allowed to be encoded in the user name. My current work around (which works) is to adapt the elasticsearch plugin to accept the @ sign in the user name. However, this is not a nice solution. Is there a better (built-in) solution, or did I just something miss regarding the authencation service?
 
Regards
Silvio