Return-Path: X-Original-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8E0DF268A for ; Thu, 5 May 2011 23:21:58 +0000 (UTC) Received: (qmail 9252 invoked by uid 500); 5 May 2011 23:21:58 -0000 Delivered-To: apmail-incubator-connectors-user-archive@incubator.apache.org Received: (qmail 9214 invoked by uid 500); 5 May 2011 23:21:58 -0000 Mailing-List: contact connectors-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: connectors-user@incubator.apache.org Delivered-To: mailing list connectors-user@incubator.apache.org Received: (qmail 9206 invoked by uid 99); 5 May 2011 23:21:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 May 2011 23:21:58 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,MIME_QP_LONG_LINE,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SINGLE_HEADER_2K,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of atalay.kadri@gmail.com designates 209.85.216.182 as permitted sender) Received: from [209.85.216.182] (HELO mail-qy0-f182.google.com) (209.85.216.182) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 May 2011 23:21:50 +0000 Received: by qyk27 with SMTP id 27so2653815qyk.6 for ; Thu, 05 May 2011 16:21:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:references:from:content-type:x-mailer :in-reply-to:message-id:date:to:content-transfer-encoding :mime-version; bh=Zwmxa24aojLcx8Bgp1RHM8JKdn6qcYES3UjCV4EUHl8=; b=onl1qA3c8i9JRQ6fcw3LrHjTNTG7f/6YtktgjOy4AukJ6tcnXMpEE3kit/BG8Pp4Dl XeRCyPHn7XSv/o8/inGFoD665MEw8fL59QgP1dLWmMMzehwk2CIpOBehT/414zF/UCdV AntkIjajqOZFsnLeiDf3xrftrrcQXdlxqIZ4Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:references:from:content-type:x-mailer:in-reply-to :message-id:date:to:content-transfer-encoding:mime-version; b=guONBXUX2v1xTo/BrmU/6uSHtAgAY1KoKRseVAiCsT5xChIJtlRxhsAJpCeZ7pn2yr BxT9O50Wg8HfoTm9xOvrTysl+Tcvaoa7N63lD4bIadBtDWafQ63pGPHYuH/4MZ0ndWXt M49O+2YkVzvaOX/zpNAqEHd2n75K/SQUe7bpg= Received: by 10.224.46.100 with SMTP id i36mr2973005qaf.153.1304637689994; Thu, 05 May 2011 16:21:29 -0700 (PDT) Received: from [10.19.227.229] ([198.228.195.78]) by mx.google.com with ESMTPS id c27sm2160979qck.10.2011.05.05.16.21.28 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 May 2011 16:21:29 -0700 (PDT) Subject: Re: Which version of Solr have implements the Document Level Access Control References: From: Kadri Atalay Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (8C148) In-Reply-To: Message-Id: <85FEC045-E10F-46A2-9372-BDE53E046A27@gmail.com> Date: Thu, 5 May 2011 19:21:21 -0400 To: "connectors-user@incubator.apache.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (iPhone Mail 8C148) Out of office now. Will try tomorrow . Thx Sent from my iPhone On May 5, 2011, at 7:17 PM, Karl Wright wrote: > Try this. > Karl >=20 >=20 > On Thu, May 5, 2011 at 7:12 PM, Karl Wright wrote: >> It must mean we're somehow throwing an exception in the case where the >> user is missing. I bet I know why - the CN lookup is failing instead. >> I'll see if I can change it. >>=20 >> Karl >>=20 >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay wro= te: >>> It works, only difference I see with previous one is: if a domain is >>> reachable, message usernotfound makes a better indicator, somehow we los= t >>> that. >>>=20 >>>=20 >>> C:\OPT>testauthority >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dfakeuse= r" >>> UNREACHABLEAUTHORITY:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dfakeuse= r@fakedomain" >>> UNREACHABLEAUTHORITY:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dfakeuse= r@teqa.filetek.com" >>> UNREACHABLEAUTHORITY:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>> Previous one >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dfakeuse= r@teqa.filetek.com" >>> USERNOTFOUND:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkatalay= _admin@teqa" >>> UNREACHABLEAUTHORITY:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkatalay= _admin@teqa.filetek.com" >>> AUTHORIZED:TEQA-DC >>> TOKEN:TEQA-DC:S-1-5-32-545 >>> TOKEN:TEQA-DC:S-1-5-32-544 >>> TOKEN:TEQA-DC:S-1-5-32-555 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>> TOKEN:TEQA-DC:S-1-1-0 >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkatalay= @teqa.filetek.com" >>> AUTHORIZED:TEQA-DC >>> TOKEN:TEQA-DC:S-1-5-32-545 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473 >>> TOKEN:TEQA-DC:S-1-1-0 >>>=20 >>> C:\OPT>curl >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkatalay= @fakedomain" >>> UNREACHABLEAUTHORITY:TEQA-DC >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>=20 >>>=20 >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright wrote: >>>>=20 >>>> I've cleaned things up slightly to restore the objectSid and also to >>>> fix an infinite loop ifyou have more than one comma in the escape >>>> expression. I've attached the file, can you see if it works? >>>>=20 >>>> Thanks, >>>> Karl >>>>=20 >>>>=20 >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright wrote:= >>>>> Thanks - we do need the user sid, so I will put that back. >>>>>=20 >>>>> Also, I'd like to ask what you know about escaping the user name in >>>>> this expression: >>>>>=20 >>>>> String searchFilter =3D "(&(objectClass=3Duser)(sAMAccountName=3D" + u= serName >>>>> + "))"; >>>>>=20 >>>>> It seems to me that there is probably some escaping needed, but I >>>>> don't know what style. Do you think it is the same (C-style, with \ >>>>> escape) as for the other case? >>>>>=20 >>>>> Karl >>>>>=20 >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay >>>>> wrote: >>>>>> Hi Karl, >>>>>>=20 >>>>>> String returnedAtts[]=3D{"tokenGroups"} is ONLY returning the >>>>>> memberGroups, >>>>>>=20 >>>>>> C:\OPT>curl >>>>>>=20 >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkata= lay_admin@teqa.filetek.com" >>>>>> AUTHORIZED:TEQA-DC >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>>>>> TOKEN:TEQA-DC:S-1-5-21- >>>>>> 1212545812-2858578934-3563067286-1124 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>>>=20 >>>>>> but, >>>>>>=20 >>>>>> - String returnedAtts[] =3D {"tokenGroups","objectSid"}; is return= ing >>>>>> memberGroups AND SID for that user. >>>>>>=20 >>>>>> C:\OPT>curl >>>>>>=20 >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=3Dkata= lay_admin@teqa.filetek.com" >>>>>> AUTHORIZED:TEQA-DC >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>>>=20 >>>>>> Since we are only interested in the member groups, tokenGroups is >>>>>> sufficient, but if you also need user SID then you might keep the >>>>>> objectSID >>>>>> as well. >>>>>>=20 >>>>>> Thanks >>>>>>=20 >>>>>> Kadri >>>>>>=20 >>>>>>=20 >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright wrot= e: >>>>>>>=20 >>>>>>> I am curious about the following change, which does not seem correct= : >>>>>>>=20 >>>>>>>=20 >>>>>>> //Specify the attributes to return >>>>>>> - String returnedAtts[] =3D {"tokenGroups","objectSid"}; >>>>>>> + String returnedAtts[]=3D{"tokenGroups"}; >>>>>>> searchCtls.setReturningAttributes(returnedAtts); >>>>>>>=20 >>>>>>> Karl >>>>>>>=20 >>>>>>>=20 >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay >>>>>>> wrote: >>>>>>>> Karl, >>>>>>>>=20 >>>>>>>> The ActiveDirectoryAuthority.java is attached. >>>>>>>>=20 >>>>>>>> I'm not sure about clicking "Grant ASF License", or how to do that >>>>>>>> from >>>>>>>> Tortoise. >>>>>>>> But, you got my consent for granting the ASF license. >>>>>>>>=20 >>>>>>>> Thanks >>>>>>>>=20 >>>>>>>> Kadri >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright >>>>>>>> wrote: >>>>>>>>>=20 >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java file to the= >>>>>>>>> ticket if you prefer. But you must click the "Grant ASF License" >>>>>>>>> button. >>>>>>>>>=20 >>>>>>>>> Karl >>>>>>>>>=20 >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay >>>>>>>>> >>>>>>>>> wrote: >>>>>>>>>> Karl, >>>>>>>>>>=20 >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN.. >>>>>>>>>> Do you know how to do this with Tortoise ? >>>>>>>>>> Otherwise, I can just send the source code directly to you. >>>>>>>>>> BTW, there are some changes in the ParseUser method also, you can= >>>>>>>>>> see >>>>>>>>>> all >>>>>>>>>> when you run the diff. >>>>>>>>>>=20 >>>>>>>>>> Thanks >>>>>>>>>>=20 >>>>>>>>>> Kadri >>>>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>=20 >>>=20 >>>=20 >>=20 >