manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Sun, 08 May 2011 14:19:18 GMT
This looked very good, so I committed it as-is.  It does, however,
invalidate Shinichiro's earlier patch for CONNECTORS-197.  Would you
know what the login id field would be if the active directory instance
does not have sAMAccountName?  Is it uid?

Karl

On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
> Hi Karl,
>
> While looking over AD access and attributes, I found that
> "distinguishedName"
> attribute contains all the information we need for TokenGroups search, in
> the correct format ie:
> "CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com";
> and by using this attribute instead of CN, we don't need to build the
> searchbase ourselves.
>
> There are 2 advantages of using this attribute:
> 1- Even if the user is not part of users group (whatever the reason maybe)
> we still get the results back, because his information is included in the
> "distinguishedName" attribute.
> 2- We don't need to do treat any special characters like comma, etc.. (it's
> already formatted).
>
> I tested the code it works. Please see attached for the latest.
>
> Thanks
>
> Kadri
>
> Following is no longer needed:
>     StringBuffer sb = new StringBuffer();
>     sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,");
>     sb.append(domainsb);
>
>
>
>
>
> On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.kadri@gmail.com>
> wrote:
>>
>> Hi Karl,
>>
>> Tested, and it's working.
>>
>> Thanks!
>>
>> Kadri
>>
>>
>> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>
>>> I think yours was working because it was returning "cn=null,
>>> cn=users", which was a result of the fact that cn was null and the
>>> expression was assembled using the "+" operator.  When I separated the
>>> ldap escape out, it caused a null pointer exception to be thrown
>>> instead.  It should be fixed now.
>>>
>>> Karl
>>>
>>>
>>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>> wrote:
>>> > Fyi. The file I sent you was returning usernotfound.
>>> >
>>> >
>>> > Sent from my iPhone
>>> >
>>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com> wrote:
>>> >
>>> >> It must mean we're somehow throwing an exception in the case where the
>>> >> user is missing.  I bet I know why - the CN lookup is failing instead.
>>> >> I'll see if I can change it.
>>> >>
>>> >> Karl
>>> >>
>>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.kadri@gmail.com>
>>> >> wrote:
>>> >>> It works, only difference I see with previous one is: if a domain
is
>>> >>> reachable, message usernotfound makes a better indicator, somehow
we
>>> >>> lost
>>> >>> that.
>>> >>>
>>> >>>
>>> >>> C:\OPT>testauthority
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> Previous one
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>>> >>> USERNOTFOUND:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>> >>> AUTHORIZED:TEQA-DC
>>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> >>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
>>> >>> AUTHORIZED:TEQA-DC
>>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>>> >>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>>
>>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
>>> >>> wrote:
>>> >>>>
>>> >>>> I've cleaned things up slightly to restore the objectSid and
also to
>>> >>>> fix an infinite loop ifyou have more than one comma in the escape
>>> >>>> expression.  I've attached the file, can you see if it works?
>>> >>>>
>>> >>>> Thanks,
>>> >>>> Karl
>>> >>>>
>>> >>>>
>>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
>>> >>>> wrote:
>>> >>>>> Thanks - we do need the user sid, so I will put that back.
>>> >>>>>
>>> >>>>> Also, I'd like to ask what you know about escaping the user
name in
>>> >>>>> this expression:
>>> >>>>>
>>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+
>>> >>>>> userName
>>> >>>>> + "))";
>>> >>>>>
>>> >>>>> It seems to me that there is probably some escaping needed,
but I
>>> >>>>> don't know what style.  Do you think it is the same (C-style,
with
>>> >>>>> \
>>> >>>>> escape) as for the other case?
>>> >>>>>
>>> >>>>> Karl
>>> >>>>>
>>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay
>>> >>>>> <atalay.kadri@gmail.com>
>>> >>>>> wrote:
>>> >>>>>> Hi Karl,
>>> >>>>>>
>>> >>>>>>     String returnedAtts[]={"tokenGroups"} is ONLY
returning the
>>> >>>>>> memberGroups,
>>> >>>>>>
>>> >>>>>> C:\OPT>curl
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>> >>>>>> AUTHORIZED:TEQA-DC
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
>>> >>>>>> 1212545812-2858578934-3563067286-1124
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>>>>
>>> >>>>>> but,
>>> >>>>>>
>>> >>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
is
>>> >>>>>> returning
>>> >>>>>> memberGroups AND SID for that user.
>>> >>>>>>
>>> >>>>>> C:\OPT>curl
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>>> >>>>>> AUTHORIZED:TEQA-DC
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>>>>
>>> >>>>>> Since we are only interested in the member groups, tokenGroups
is
>>> >>>>>> sufficient, but if you also need user SID then you might
keep the
>>> >>>>>> objectSID
>>> >>>>>> as well.
>>> >>>>>>
>>> >>>>>> Thanks
>>> >>>>>>
>>> >>>>>> Kadri
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddywri@gmail.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> I am curious about the following change, which does
not seem
>>> >>>>>>> correct:
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>     //Specify the attributes to return
>>> >>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>>> >>>>>>> +    String returnedAtts[]={"tokenGroups"};
>>> >>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>>> >>>>>>>
>>> >>>>>>> Karl
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay
>>> >>>>>>> <atalay.kadri@gmail.com>
>>> >>>>>>> wrote:
>>> >>>>>>>> Karl,
>>> >>>>>>>>
>>> >>>>>>>> The ActiveDirectoryAuthority.java is attached.
>>> >>>>>>>>
>>> >>>>>>>> I'm not sure about clicking "Grant ASF License",
or how to do
>>> >>>>>>>> that
>>> >>>>>>>> from
>>> >>>>>>>> Tortoise.
>>> >>>>>>>> But, you got my consent for granting the ASF
license.
>>> >>>>>>>>
>>> >>>>>>>> Thanks
>>> >>>>>>>>
>>> >>>>>>>> Kadri
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright
<daddywri@gmail.com>
>>> >>>>>>>> wrote:
>>> >>>>>>>>>
>>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file to
>>> >>>>>>>>> the
>>> >>>>>>>>> ticket if you prefer.  But you must click
the "Grant ASF
>>> >>>>>>>>> License"
>>> >>>>>>>>> button.
>>> >>>>>>>>>
>>> >>>>>>>>> Karl
>>> >>>>>>>>>
>>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>> >>>>>>>>> <atalay.kadri@gmail.com>
>>> >>>>>>>>> wrote:
>>> >>>>>>>>>> Karl,
>>> >>>>>>>>>>
>>> >>>>>>>>>> I'm using the Tortoise SVN, and new
to SVN..
>>> >>>>>>>>>> Do you know how to do this with Tortoise
?
>>> >>>>>>>>>> Otherwise, I can just send the source
code directly to you.
>>> >>>>>>>>>> BTW, there are some changes in the ParseUser
method also, you
>>> >>>>>>>>>> can
>>> >>>>>>>>>> see
>>> >>>>>>>>>> all
>>> >>>>>>>>>> when you run the diff.
>>> >>>>>>>>>>
>>> >>>>>>>>>> Thanks
>>> >>>>>>>>>>
>>> >>>>>>>>>> Kadri
>>> >>>>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>
>>> >>>
>>> >
>>
>
>

Mime
View raw message