Return-Path: Delivered-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Received: (qmail 62720 invoked from network); 11 Apr 2011 09:31:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Apr 2011 09:31:29 -0000 Received: (qmail 86361 invoked by uid 500); 11 Apr 2011 09:31:28 -0000 Delivered-To: apmail-incubator-connectors-user-archive@incubator.apache.org Received: (qmail 86257 invoked by uid 500); 11 Apr 2011 09:31:21 -0000 Mailing-List: contact connectors-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: connectors-user@incubator.apache.org Delivered-To: mailing list connectors-user@incubator.apache.org Received: (qmail 86242 invoked by uid 99); 11 Apr 2011 09:31:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Apr 2011 09:31:17 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of daddywri@gmail.com designates 209.85.216.182 as permitted sender) Received: from [209.85.216.182] (HELO mail-qy0-f182.google.com) (209.85.216.182) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Apr 2011 09:31:13 +0000 Received: by qyk27 with SMTP id 27so4158088qyk.6 for ; Mon, 11 Apr 2011 02:30:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=NvizaPMN4cUVn3nX6e5WWuAJ3DwcXf6L5OaLENEJ/64=; b=vF6lEgaZLWPOeE4dhUxYNB8q4A/lR1iZiX1vmJtJX6mV7qPo9UGJV98miSulWxqY9P 21FXB/IsYNyMrTYzyLviEl2xh7po108i/Uap5P6kweS8pD51PqeZ+V9sRJBPoWvI2dwv GQnDdC34P9RIc8RXaZD5GePQZZFmCzyFjNZ0E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=xQ/M0JHfEtva5ynUxN3LB7tjtdxdLhAWQjpM5GhFuHh06bloGQOn4GPiOxwqnoJnWi dDN3hePyhW7dflFSlCv3lwGzCCo+MUzD9+d7PtPacGLgmv7DdShOdo7cuo4tVdDCNl/t LpUmQKTFJvgojmW6iNw932WKz5AqKINbS0Ngo= MIME-Version: 1.0 Received: by 10.229.114.80 with SMTP id d16mr3982494qcq.18.1302514252349; Mon, 11 Apr 2011 02:30:52 -0700 (PDT) Received: by 10.229.95.78 with HTTP; Mon, 11 Apr 2011 02:30:52 -0700 (PDT) In-Reply-To: References: Date: Mon, 11 Apr 2011 05:30:52 -0400 Message-ID: Subject: Re: Authority Connection From: Karl Wright To: connectors-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Some answers, but no solutions. (1) The Active Directory authority was tested against various incarnations of Windows 2003 Server. I have not researched whether Windows2008R2 still supports the same authentication protocols. But I do know that Windows 2003 Server did work. Unfortunately, I no longer have a Windows 2003 Server setup available to me at this time, so I will not be able to confirm this today. (2) Windows is highly configurable. If it is possible that your domain controllers have been modified to restrict the protocols that they accept, then it is possible that the Active Directory authority might not work properly for that reason. But if your Windows 2003 Server is "out of the box" that's an unlikely explanation. (3) If you are concerned about encoding issues (and I would be, given that your passwords have @'s in them), I would try to confirm that is the problem by providing credentials that do not have potential problems of this kind. Try creating an AD user with very straightforward credentials and see if you get to "Connection working" that way. If you do, we'll have to figure out what encoding is needed and where it should be done. The authority connector uses the standard Sun library for LDAP communication, so I would think this would not be a problem. (4) In ManifoldCF In Action, I do not presume the user has access to anything that's not open-source. So of course I don't actually point the Active Directory authority at a real domain controller. But if you do not get "Connection working" back in the Crawler UI, the authority will not work to find real user tokens, that is certain. (5) The security modes I selected were based on what I read online and tested in my environment at the time. You are welcome to experiment to see if you can find security protocols that work for you; I would be interested to hear if you find something that works in your environment. Karl On Mon, Apr 11, 2011 at 5:00 AM, Shinichiro Abe wrote: > Hello. > > I want to connect =A0the repository server through Windows Active Directo= ry, > but Registering Authority Connection was not working. > Please tell me if you know something. > > > 1) AuthorityConnection error occurs when registering. > Connection status was not "Connection Working". > > At Crawler UI,I specify domain controllers --Windows2008R2 (VM), and save= button. > > Connection status: > Threw exception: 'Authentication problem authenticating admin user' Admin= @mcf.org ': [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904D0, commen= t: AcceptSecurityContext error, data 52e, v1db0]' > > "data 52e" is likely to be invalid credentials error. > http://www.coderanch.com/t/490367/Security/javax-naming-AuthenticationExc= eption-LDAP-error > > Next, At Crawler UI,I specify domain controllers --Windows2003 (VM), and = save button. > > Connection status: > Threw exception: 'Authentication problem authenticating admin user' Admin= @mcf.org ': [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, commen= t: AcceptSecurityContext error, data 0, vece]' > > The result code seems to be different (data 52e/data 0) by OS. > > > 2) My environment. I set the same configuration for both OS. > > Domain Controller: 192.168.11.12 User: Admin@mcf.org Password: P@ssw0rd > > In Active Directory, Domain is "mcf.org". > "Admin"(username) belongs to the Administrators group,and "user1" belongs= to the Users group. > And I prepared the repository server (WindowsXP).This server belongs to "= mcf.org". > On the repository server, Admin and user1 can allow to access shared fold= ers. > > > 3)I tried to test for connection. > > The user tried the following pattern. But the connection failed. > =A01.Admin@mcf.org > =A02.mcf.org \ \ Admin > =A03.mcf \ Admin > Password tried the following pattern. But the connection failed. > =A01.P@ssw0rd > =A02.P@ssw0rd convert by the URL encoding. P%40ssw0rd > =A03.MD5-s "P@ssw0rd" convert to set the hash value. > > Please tell me how to correct registration. > (By the way, even in ManifoldCFinAction, on screen image it failed to con= nect.) > > > 4) I checked the Security Event Log of Windows. > Event Log said that the user failed to login (unspecified). > On the other hand, When I =A0use LDAPSEARCH(free software tool), I succes= sfully login. > http://www.brothersoft.com/ldapsearch-255199.html > Comparing between LDAPSEARCH and MCF, authentication process / package se= ems to be different. > In Event Log, MCF(login failed) process / package is "WDIGEST" / "Wdigest= ". > LDAPSEARCH(can login) process =A0/ packages is "Advapi" / "Negotiate". > > ActiveDirectoryAuthority.getSession () =A0set Context.SECURITY_AUTHENTICA= TION. > the SECURITY_AUTHENTICATION defines not "simple" but "DIGEST-MD5 GSSAPI". > Does it have any reason? I guess there are any problems in this area. > > > I think it is a difficult problem, but I want to determine whether by my = environment or by MCF. > Please tell me if you have any ideas, =A0points to be checked. > Thank you. > > Regards, > Shinichiro Abe > >