manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadri Atalay <atalay.ka...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Thu, 05 May 2011 23:21:21 GMT
Out of office now. Will try tomorrow .
Thx

Sent from my iPhone

On May 5, 2011, at 7:17 PM, Karl Wright <daddywri@gmail.com> wrote:

> Try this.
> Karl
> 
> 
> On Thu, May 5, 2011 at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:
>> It must mean we're somehow throwing an exception in the case where the
>> user is missing.  I bet I know why - the CN lookup is failing instead.
>>  I'll see if I can change it.
>> 
>> Karl
>> 
>> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
>>> It works, only difference I see with previous one is: if a domain is
>>> reachable, message usernotfound makes a better indicator, somehow we lost
>>> that.
>>> 
>>> 
>>> C:\OPT>testauthority
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>>> UNREACHABLEAUTHORITY:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
>>> UNREACHABLEAUTHORITY:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>> UNREACHABLEAUTHORITY:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> Previous one
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>> USERNOTFOUND:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
>>> UNREACHABLEAUTHORITY:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>> AUTHORIZED:TEQA-DC
>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> TOKEN:TEQA-DC:S-1-5-32-544
>>> TOKEN:TEQA-DC:S-1-5-32-555
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> TOKEN:TEQA-DC:S-1-1-0
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
>>> AUTHORIZED:TEQA-DC
>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>>> TOKEN:TEQA-DC:S-1-1-0
>>> 
>>> C:\OPT>curl
>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
>>> UNREACHABLEAUTHORITY:TEQA-DC
>>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> 
>>> 
>>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>> 
>>>> I've cleaned things up slightly to restore the objectSid and also to
>>>> fix an infinite loop ifyou have more than one comma in the escape
>>>> expression.  I've attached the file, can you see if it works?
>>>> 
>>>> Thanks,
>>>> Karl
>>>> 
>>>> 
>>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>>> Thanks - we do need the user sid, so I will put that back.
>>>>> 
>>>>> Also, I'd like to ask what you know about escaping the user name in
>>>>> this expression:
>>>>> 
>>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName=" + userName
>>>>> + "))";
>>>>> 
>>>>> It seems to me that there is probably some escaping needed, but I
>>>>> don't know what style.  Do you think it is the same (C-style, with \
>>>>> escape) as for the other case?
>>>>> 
>>>>> Karl
>>>>> 
>>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>>> wrote:
>>>>>> Hi Karl,
>>>>>> 
>>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY returning the
>>>>>> memberGroups,
>>>>>> 
>>>>>> C:\OPT>curl
>>>>>> 
>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>>> AUTHORIZED:TEQA-DC
>>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>>> TOKEN:TEQA-DC:S-1-5-21-
>>>>>> 1212545812-2858578934-3563067286-1124
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>> 
>>>>>> but,
>>>>>> 
>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"}; is returning
>>>>>> memberGroups AND SID for that user.
>>>>>> 
>>>>>> C:\OPT>curl
>>>>>> 
>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>>>>> AUTHORIZED:TEQA-DC
>>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>>>>> TOKEN:TEQA-DC:S-1-1-0
>>>>>> 
>>>>>> Since we are only interested in the member groups, tokenGroups is
>>>>>> sufficient, but if you also need user SID then you might keep the
>>>>>> objectSID
>>>>>> as well.
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> Kadri
>>>>>> 
>>>>>> 
>>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
wrote:
>>>>>>> 
>>>>>>> I am curious about the following change, which does not seem
correct:
>>>>>>> 
>>>>>>> 
>>>>>>>     //Specify the attributes to return
>>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>>>>>>> +    String returnedAtts[]={"tokenGroups"};
>>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>>>>>>> 
>>>>>>> Karl
>>>>>>> 
>>>>>>> 
>>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>>>>>> wrote:
>>>>>>>> Karl,
>>>>>>>> 
>>>>>>>> The ActiveDirectoryAuthority.java is attached.
>>>>>>>> 
>>>>>>>> I'm not sure about clicking "Grant ASF License", or how to
do that
>>>>>>>> from
>>>>>>>> Tortoise.
>>>>>>>> But, you got my consent for granting the ASF license.
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> 
>>>>>>>> Kadri
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddywri@gmail.com>
>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file to the
>>>>>>>>> ticket if you prefer.  But you must click the "Grant
ASF License"
>>>>>>>>> button.
>>>>>>>>> 
>>>>>>>>> Karl
>>>>>>>>> 
>>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>>>>>>>> <atalay.kadri@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>> Karl,
>>>>>>>>>> 
>>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
>>>>>>>>>> Do you know how to do this with Tortoise ?
>>>>>>>>>> Otherwise, I can just send the source code directly
to you.
>>>>>>>>>> BTW, there are some changes in the ParseUser method
also, you can
>>>>>>>>>> see
>>>>>>>>>> all
>>>>>>>>>> when you run the diff.
>>>>>>>>>> 
>>>>>>>>>> Thanks
>>>>>>>>>> 
>>>>>>>>>> Kadri
>>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>> 
>>> 
>> 
> <ActiveDirectoryAuthority.java>

Mime
View raw message