manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Which version of Solr have implements the Document Level Access Control
Date Mon, 09 May 2011 21:45:48 GMT
Shinichiro submitted a patch based on simply selecting which field to
use, and that was committed earlier today.

But thanks anyway!
Karl


On Mon, May 9, 2011 at 4:47 PM, Kadri Atalay <atalay.kadri@gmail.com> wrote:
> Hi Karl,
>
> sAMAccountName holds the logon name upto 20 chars, and userPrincipalName
> holds the logon name upto 256 (including domain name).
>
> I made changes to accomodate both cases:  Please see attached file:
>
> We can resolve this issue by making 2 calls to getDistinguishedName method
> using different attributes.
> First call is with sAMAccountName (supports only up to 20 chars)
> If that fails, we can call again using userPrincipalName, up to 256 chars.
>
> Configuration may be used if we don't want to make 2 calls for performance
> reasons.
>
>     //Get DistinguishedName (for this method we are using DomainPart as a
> searchBase ie: DC=qa-ad-76,DC=metacarta,DC=com")
>     //First call is for logon-name limited to 20 chars used with
> sAMAccountName
>     String userDN = getDistinguishedName(userPart, domainsb.toString(),
> "sAMAccountName" );
>
>     //Second call is for logon-name NOT limited to 20 chars used with
> userPrincipalName
>     if (userDN == null)
>         userDN = getDistinguishedName(userName, domainsb.toString(),
> "userPrincipalName");
>     return userDN;
>
> Following is the test results:
>
> Thanks
>
> Kadri
>
>
> C:\OPT>echo follOWING users are the same
>
> username 25 characters long
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=1234567890123456789012345@teqa.filetek.com"
> AUTHORIZED:TEQA-DC
> TOKEN:TEQA-DC:S-1-5-32-545
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627
> TOKEN:TEQA-DC:S-1-1-0
>
> username 20 characters long
>
> C:\OPT>curl
> "http://localhost:8345/mcf-authority-service/UserACLs?username=12345678901234567890@teqa.filetek.com"
> AUTHORIZED:TEQA-DC
> TOKEN:TEQA-DC:S-1-5-32-545
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627
> TOKEN:TEQA-DC:S-1-1-0
>
> C:\OPT>
>
> On Sun, May 8, 2011 at 10:19 AM, Karl Wright <daddywri@gmail.com> wrote:
>>
>> This looked very good, so I committed it as-is.  It does, however,
>> invalidate Shinichiro's earlier patch for CONNECTORS-197.  Would you
>> know what the login id field would be if the active directory instance
>> does not have sAMAccountName?  Is it uid?
>>
>> Karl
>>
>> On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> wrote:
>> > Hi Karl,
>> >
>> > While looking over AD access and attributes, I found that
>> > "distinguishedName"
>> > attribute contains all the information we need for TokenGroups search,
>> > in
>> > the correct format ie:
>> > "CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com";
>> > and by using this attribute instead of CN, we don't need to build the
>> > searchbase ourselves.
>> >
>> > There are 2 advantages of using this attribute:
>> > 1- Even if the user is not part of users group (whatever the reason
>> > maybe)
>> > we still get the results back, because his information is included in
>> > the
>> > "distinguishedName" attribute.
>> > 2- We don't need to do treat any special characters like comma, etc..
>> > (it's
>> > already formatted).
>> >
>> > I tested the code it works. Please see attached for the latest.
>> >
>> > Thanks
>> >
>> > Kadri
>> >
>> > Following is no longer needed:
>> >     StringBuffer sb = new StringBuffer();
>> >     sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,");
>> >     sb.append(domainsb);
>> >
>> >
>> >
>> >
>> >
>> > On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.kadri@gmail.com>
>> > wrote:
>> >>
>> >> Hi Karl,
>> >>
>> >> Tested, and it's working.
>> >>
>> >> Thanks!
>> >>
>> >> Kadri
>> >>
>> >>
>> >> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddywri@gmail.com> wrote:
>> >>>
>> >>> I think yours was working because it was returning "cn=null,
>> >>> cn=users", which was a result of the fact that cn was null and the
>> >>> expression was assembled using the "+" operator.  When I separated
the
>> >>> ldap escape out, it caused a null pointer exception to be thrown
>> >>> instead.  It should be fixed now.
>> >>>
>> >>> Karl
>> >>>
>> >>>
>> >>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.kadri@gmail.com>
>> >>> wrote:
>> >>> > Fyi. The file I sent you was returning usernotfound.
>> >>> >
>> >>> >
>> >>> > Sent from my iPhone
>> >>> >
>> >>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddywri@gmail.com>
wrote:
>> >>> >
>> >>> >> It must mean we're somehow throwing an exception in the case
where
>> >>> >> the
>> >>> >> user is missing.  I bet I know why - the CN lookup is failing
>> >>> >> instead.
>> >>> >> I'll see if I can change it.
>> >>> >>
>> >>> >> Karl
>> >>> >>
>> >>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay
>> >>> >> <atalay.kadri@gmail.com>
>> >>> >> wrote:
>> >>> >>> It works, only difference I see with previous one is: if
a domain
>> >>> >>> is
>> >>> >>> reachable, message usernotfound makes a better indicator,
somehow
>> >>> >>> we
>> >>> >>> lost
>> >>> >>> that.
>> >>> >>>
>> >>> >>>
>> >>> >>> C:\OPT>testauthority
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"
>> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"
>> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>> Previous one
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@teqa.filetek.com"
>> >>> >>> USERNOTFOUND:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"
>> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> >>> >>> AUTHORIZED:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> >>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>> >>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> >>> >>> TOKEN:TEQA-DC:S-1-1-0
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@teqa.filetek.com"
>> >>> >>> AUTHORIZED:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>> >>> >>> TOKEN:TEQA-DC:S-1-1-0
>> >>> >>>
>> >>> >>> C:\OPT>curl
>> >>> >>>
>> >>> >>>
>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"
>> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>> >>> >>>
>> >>> >>>
>> >>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddywri@gmail.com>
>> >>> >>> wrote:
>> >>> >>>>
>> >>> >>>> I've cleaned things up slightly to restore the objectSid
and also
>> >>> >>>> to
>> >>> >>>> fix an infinite loop ifyou have more than one comma
in the escape
>> >>> >>>> expression.  I've attached the file, can you see if
it works?
>> >>> >>>>
>> >>> >>>> Thanks,
>> >>> >>>> Karl
>> >>> >>>>
>> >>> >>>>
>> >>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddywri@gmail.com>
>> >>> >>>> wrote:
>> >>> >>>>> Thanks - we do need the user sid, so I will put
that back.
>> >>> >>>>>
>> >>> >>>>> Also, I'd like to ask what you know about escaping
the user name
>> >>> >>>>> in
>> >>> >>>>> this expression:
>> >>> >>>>>
>> >>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName="
+
>> >>> >>>>> userName
>> >>> >>>>> + "))";
>> >>> >>>>>
>> >>> >>>>> It seems to me that there is probably some escaping
needed, but
>> >>> >>>>> I
>> >>> >>>>> don't know what style.  Do you think it is the
same (C-style,
>> >>> >>>>> with
>> >>> >>>>> \
>> >>> >>>>> escape) as for the other case?
>> >>> >>>>>
>> >>> >>>>> Karl
>> >>> >>>>>
>> >>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay
>> >>> >>>>> <atalay.kadri@gmail.com>
>> >>> >>>>> wrote:
>> >>> >>>>>> Hi Karl,
>> >>> >>>>>>
>> >>> >>>>>>     String returnedAtts[]={"tokenGroups"}
is ONLY returning the
>> >>> >>>>>> memberGroups,
>> >>> >>>>>>
>> >>> >>>>>> C:\OPT>curl
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> >>> >>>>>> AUTHORIZED:TEQA-DC
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
>> >>> >>>>>> 1212545812-2858578934-3563067286-1124
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>> >>> >>>>>>
>> >>> >>>>>> but,
>> >>> >>>>>>
>> >>> >>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
is
>> >>> >>>>>> returning
>> >>> >>>>>> memberGroups AND SID for that user.
>> >>> >>>>>>
>> >>> >>>>>> C:\OPT>curl
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa.filetek.com"
>> >>> >>>>>> AUTHORIZED:TEQA-DC
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>> >>> >>>>>>
>> >>> >>>>>> Since we are only interested in the member
groups, tokenGroups
>> >>> >>>>>> is
>> >>> >>>>>> sufficient, but if you also need user SID then
you might keep
>> >>> >>>>>> the
>> >>> >>>>>> objectSID
>> >>> >>>>>> as well.
>> >>> >>>>>>
>> >>> >>>>>> Thanks
>> >>> >>>>>>
>> >>> >>>>>> Kadri
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright
>> >>> >>>>>> <daddywri@gmail.com>
>> >>> >>>>>> wrote:
>> >>> >>>>>>>
>> >>> >>>>>>> I am curious about the following change,
which does not seem
>> >>> >>>>>>> correct:
>> >>> >>>>>>>
>> >>> >>>>>>>
>> >>> >>>>>>>     //Specify the attributes to return
>> >>> >>>>>>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>> >>> >>>>>>> +    String returnedAtts[]={"tokenGroups"};
>> >>> >>>>>>>     searchCtls.setReturningAttributes(returnedAtts);
>> >>> >>>>>>>
>> >>> >>>>>>> Karl
>> >>> >>>>>>>
>> >>> >>>>>>>
>> >>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay
>> >>> >>>>>>> <atalay.kadri@gmail.com>
>> >>> >>>>>>> wrote:
>> >>> >>>>>>>> Karl,
>> >>> >>>>>>>>
>> >>> >>>>>>>> The ActiveDirectoryAuthority.java is
attached.
>> >>> >>>>>>>>
>> >>> >>>>>>>> I'm not sure about clicking "Grant
ASF License", or how to do
>> >>> >>>>>>>> that
>> >>> >>>>>>>> from
>> >>> >>>>>>>> Tortoise.
>> >>> >>>>>>>> But, you got my consent for granting
the ASF license.
>> >>> >>>>>>>>
>> >>> >>>>>>>> Thanks
>> >>> >>>>>>>>
>> >>> >>>>>>>> Kadri
>> >>> >>>>>>>>
>> >>> >>>>>>>>
>> >>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl
Wright
>> >>> >>>>>>>> <daddywri@gmail.com>
>> >>> >>>>>>>> wrote:
>> >>> >>>>>>>>>
>> >>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java
file
>> >>> >>>>>>>>> to
>> >>> >>>>>>>>> the
>> >>> >>>>>>>>> ticket if you prefer.  But you
must click the "Grant ASF
>> >>> >>>>>>>>> License"
>> >>> >>>>>>>>> button.
>> >>> >>>>>>>>>
>> >>> >>>>>>>>> Karl
>> >>> >>>>>>>>>
>> >>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM,
Kadri Atalay
>> >>> >>>>>>>>> <atalay.kadri@gmail.com>
>> >>> >>>>>>>>> wrote:
>> >>> >>>>>>>>>> Karl,
>> >>> >>>>>>>>>>
>> >>> >>>>>>>>>> I'm using the Tortoise SVN,
and new to SVN..
>> >>> >>>>>>>>>> Do you know how to do this
with Tortoise ?
>> >>> >>>>>>>>>> Otherwise, I can just send
the source code directly to you.
>> >>> >>>>>>>>>> BTW, there are some changes
in the ParseUser method also,
>> >>> >>>>>>>>>> you
>> >>> >>>>>>>>>> can
>> >>> >>>>>>>>>> see
>> >>> >>>>>>>>>> all
>> >>> >>>>>>>>>> when you run the diff.
>> >>> >>>>>>>>>>
>> >>> >>>>>>>>>> Thanks
>> >>> >>>>>>>>>>
>> >>> >>>>>>>>>> Kadri
>> >>> >>>>>>>>>>
>> >>> >>>>>>>>
>> >>> >>>>>>>>
>> >>> >>>>>>
>> >>> >>>>>>
>> >>> >>>>>
>> >>> >>>
>> >>> >>>
>> >>> >
>> >>
>> >
>> >
>
>

Mime
View raw message