Return-Path: X-Original-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3785B24CA for ; Tue, 3 May 2011 23:39:52 +0000 (UTC) Received: (qmail 66607 invoked by uid 500); 3 May 2011 23:39:52 -0000 Delivered-To: apmail-incubator-connectors-user-archive@incubator.apache.org Received: (qmail 66566 invoked by uid 500); 3 May 2011 23:39:52 -0000 Mailing-List: contact connectors-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: connectors-user@incubator.apache.org Delivered-To: mailing list connectors-user@incubator.apache.org Received: (qmail 66558 invoked by uid 99); 3 May 2011 23:39:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 May 2011 23:39:52 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of daddywri@gmail.com designates 209.85.216.175 as permitted sender) Received: from [209.85.216.175] (HELO mail-qy0-f175.google.com) (209.85.216.175) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 May 2011 23:39:44 +0000 Received: by mail-qy0-f175.google.com with SMTP id 35so2806345qyk.6 for ; Tue, 03 May 2011 16:39:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=i42ur+JMMjz4VUzaQQ4lHbGdCEzTfiqToQPsKRImiDY=; b=pKKY6zJdointw/IS6dyTbhsxPtccTI2mPOFL5VehXIF6BBRnRfYRCruZqfGkCn1dgP kjoSBXdIGI797rVLUuW6OxPeaFWDNkL9v/UwEtxOh04zr/HxbiYGFPv5nk+3BOViwiih CjyQ5DXauBG1kV0B0k5pgSZAVIqpV/ZbHxQ7s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=GuXq08V+4cjkP/0GEsQ0qUM2PKNOP01HVONRQMN/y5YnTlGuJv2tzHLkP3H/NJEMq/ 3TDG/mbxzu/P6g5IuE26MJn8Dk4kQQ8BpSeRr5gwJC/eMe+mKw9XF4ZClwrVGCQ5fquD XqgmEpg1jT9guELDJTD0znFNwERGz976Wvn/U= MIME-Version: 1.0 Received: by 10.229.7.3 with SMTP id b3mr216110qcb.194.1304465964073; Tue, 03 May 2011 16:39:24 -0700 (PDT) Received: by 10.229.79.75 with HTTP; Tue, 3 May 2011 16:39:23 -0700 (PDT) In-Reply-To: References: Date: Tue, 3 May 2011 19:39:23 -0400 Message-ID: Subject: Re: Which version of Solr have implements the Document Level Access Control From: Karl Wright To: connectors-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org I thought you were using the Quick Start, whcih does not have a sync direct= ory. Karl On Tue, May 3, 2011 at 6:16 PM, Kadri Atalay wrote= : > Note: > Did that, still didn't helped, but deleting the contents of mysyncdir > worked. > > On Tue, May 3, 2011 at 5:48 PM, Karl Wright wrote: >> >> Never seen that before. =A0Do you have more than one instance running? >> Only one instance can run at a time or the database is unhappy. >> >> If that still doesn't seem to be the problem, try "ant clean" and then >> "ant build" again. =A0It will clean out the existing database instance. >> >> Karl >> >> On Tue, May 3, 2011 at 5:34 PM, Kadri Atalay >> wrote: >> > Hi Karl, >> > >> > You are right, somehow I still had the OLD 195 code.. >> > Just got the latest, compiled, but this one doesn't start after the >> > message >> > "Configuration file successfully read" >> > >> > Any ideas ? >> > >> > Thanks >> > >> > Kadri >> > >> > On Tue, May 3, 2011 at 3:12 PM, Karl Wright wrote= : >> >> >> >> The latest CONNECTORS-195 branch code doesn't use sAMAccountName. =A0= It >> >> uses ObjectSid. =A0Your schema has ObjectSid. =A0The version of >> >> ActiveDirectoryAuthority in trunk looks up ObjectSid too. =A0Indeed, = the >> >> only change is the addition of the following: >> >> >> >> if (theGroups.size() =3D=3D 0) >> >> =A0return userNotFoundResponse; >> >> >> >> This CANNOT occur for an existing user, because all existing users >> >> must have at least one SID. =A0And, if existing users returned the >> >> proper SIDs before, this should not change anything. =A0So I cannot s= ee >> >> how you could be getting the result you claim. >> >> >> >> Are you SURE you synched up the CONNECTORS-195 branch and built that? >> >> I have not checked this code into trunk yet. >> >> >> >> Karl >> >> >> >> >> >> >> >> On Tue, May 3, 2011 at 2:46 PM, Kadri Atalay >> >> wrote: >> >> > Hi Carl, >> >> > >> >> > Got the latest one, built and tried but same result.. >> >> > At the mean time took a look my user account with AD browser, and a= s >> >> > you >> >> > can >> >> > see (attached) it does have a sAMAccountName attribute. >> >> > BTW, do we have to use objectClass =3D user for the search filter ? >> >> > May >> >> > need >> >> > to check into this.. >> >> > >> >> > Thanks >> >> > >> >> > Kadri >> >> > >> >> > On Tue, May 3, 2011 at 1:16 PM, Karl Wright >> >> > wrote: >> >> >> >> >> >> I tried locating details of DSID-031006E0 on MSDN, to no avail. >> >> >> Microsoft apparently doesn't document this error. >> >> >> But I asked around, and there are two potential avenues forward. >> >> >> >> >> >> Avenue 1: There is a Windows tool called LDP, which should allow y= ou >> >> >> to browse AD's LDAP. =A0What you would need to do is confirm that = each >> >> >> user has a sAMAccountName attribute. =A0If they *don't*, it is >> >> >> possible >> >> >> that the domain was not set up in compatibility mode, which means >> >> >> we'll need to find a different attribute to query against. >> >> >> >> >> >> Avenue 2: Just change the string "sAMAccountName" in the >> >> >> ActiveDirectoryAuthority.java class to "uid", and try again. =A0Th= e >> >> >> "uid" attribute should exist on all AD installations after Windows >> >> >> 2000. >> >> >> >> >> >> Thanks, >> >> >> Karl >> >> >> >> >> >> >> >> >> On Tue, May 3, 2011 at 12:52 PM, Karl Wright >> >> >> wrote: >> >> >> > I removed the object scope from the user lookup - it's worth >> >> >> > another >> >> >> > try. =A0Care to synch up an run again? >> >> >> > >> >> >> > Karl >> >> >> > >> >> >> > On Tue, May 3, 2011 at 12:36 PM, Karl Wright >> >> >> > wrote: >> >> >> >> As I feared, the new user-exists-check code is not correct in >> >> >> >> some >> >> >> >> way. =A0Apparently we can't retrieve the attribute I'm looking = for >> >> >> >> by >> >> >> >> this kind of query. >> >> >> >> >> >> >> >> The following website seems to have some suggestions as to how = to >> >> >> >> do >> >> >> >> better, with downloadable samples, but I'm not going to be able >> >> >> >> to >> >> >> >> look at it in any detail until this evening. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://www.techtalkz.com/windows-server-2003/424352-get-samacco= untnames-all-users-active-directory-group.html >> >> >> >> >> >> >> >> Karl >> >> >> >> >> >> >> >> On Tue, May 3, 2011 at 12:12 PM, Kadri Atalay >> >> >> >> >> >> >> >> wrote: >> >> >> >>> Karl, >> >> >> >>> >> >> >> >>> Here is the first round of tests with CONNECTORS-195t: Now we >> >> >> >>> are >> >> >> >>> getting >> >> >> >>> all responses as TEQA-DC:DEAD_AUTHORITY.. even with valid user= s. >> >> >> >>> >> >> >> >>> Please take a=A0 look at the 2 bitmap files I have attached. (= they >> >> >> >>> have >> >> >> >>> the >> >> >> >>> screen shots from debug screens) >> >> >> >>> >> >> >> >>> invalid user and invalid domain >> >> >> >>> C:\OPT>curl >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser@fakedomain" >> >> >> >>> USERNOTFOUND:TEQA-DC >> >> >> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>> >> >> >> >>> invalid user and valid (full domain name) >> >> >> >>> C:\OPT>curl >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser@teqa.filetek.com" >> >> >> >>> USERNOTFOUND:TEQA-DC >> >> >> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>> >> >> >> >>> valid user and valid domain=A0 (please see bitmap file >> >> >> >>> katalay_admin@teqa.bmp) >> >> >> >>> This name gets the similar error as the first fakeuser >> >> >> >>> eventhough >> >> >> >>> it's >> >> >> >>> a >> >> >> >>> valid user. >> >> >> >>> C:\OPT>curl >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay_admin@teqa" >> >> >> >>> USERNOTFOUND:TEQA-DC >> >> >> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>> >> >> >> >>> valid user and valid domain (full domain name) (please see >> >> >> >>> bitmap >> >> >> >>> file >> >> >> >>> katalay_admin@teqa.filetek.com.bmp) This name gets a >> >> >> >>> namenotfound >> >> >> >>> exception >> >> >> >>> when full domain name is used. >> >> >> >>> C:\OPT>curl >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay_admin@teqa.filetek.com" >> >> >> >>> USERNOTFOUND:TEQA-DC >> >> >> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>> >> >> >> >>> valid user and valid domain (full domain name) >> >> >> >>> C:\OPT>curl >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay@teqa.filetek.com" >> >> >> >>> USERNOTFOUND:TEQA-DC >> >> >> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>> >> >> >> >>> Thanks >> >> >> >>> >> >> >> >>> Kadri >> >> >> >>> >> >> >> >>> On Tue, May 3, 2011 at 3:55 AM, Karl Wright >> >> >> >>> wrote: >> >> >> >>>> >> >> >> >>>> Because this looks like it might involve some experimentation= , >> >> >> >>>> I >> >> >> >>>> decided to create a branch for working on the CONNECTORS-195 >> >> >> >>>> ticket. >> >> >> >>>> The branch has what I believe is the correct code checked int= o >> >> >> >>>> it. >> >> >> >>>> The branch svn root is: >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> http://svn.apache.org/repos/asf/incubator/lcf/branches/CONNEC= TORS-195 >> >> >> >>>> >> >> >> >>>> If you check this branch out and build it, I'd dearly love to >> >> >> >>>> know >> >> >> >>>> if >> >> >> >>>> it properly detects non-existent users on your system. =A0In >> >> >> >>>> theory >> >> >> >>>> it >> >> >> >>>> should. =A0If it is wrong, it might well decide that ALL user= s >> >> >> >>>> are >> >> >> >>>> invalid, so your feedback is essential before I consider >> >> >> >>>> committing >> >> >> >>>> this patch. >> >> >> >>>> >> >> >> >>>> Thanks, >> >> >> >>>> Karl >> >> >> >>>> >> >> >> >>>> On Mon, May 2, 2011 at 5:52 PM, Karl Wright >> >> >> >>>> >> >> >> >>>> wrote: >> >> >> >>>> > I opened a ticket, CONNECTORS-195, and added what I think i= s >> >> >> >>>> > an >> >> >> >>>> > explicit check for existence of the user as a patch. =A0Can= you >> >> >> >>>> > apply >> >> >> >>>> > the patch and let me know if it seems to fix the problem? >> >> >> >>>> > >> >> >> >>>> > Thanks, >> >> >> >>>> > Karl >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>> > On Mon, May 2, 2011 at 3:51 PM, Kadri Atalay >> >> >> >>>> > >> >> >> >>>> > wrote: >> >> >> >>>> >> I see, thanks for the response. >> >> >> >>>> >> I'll look into it little deeper, before making a suggestio= n >> >> >> >>>> >> how >> >> >> >>>> >> to >> >> >> >>>> >> check for >> >> >> >>>> >> this internal exception.. If JDK 1.6 behavior is different >> >> >> >>>> >> than >> >> >> >>>> >> JDK 1.5 >> >> >> >>>> >> for >> >> >> >>>> >> LDAP, this may not be the only problem we may encounter.. >> >> >> >>>> >> Maybe any exception generated by JDK during this request >> >> >> >>>> >> should >> >> >> >>>> >> be >> >> >> >>>> >> evaluated.. We'll see. >> >> >> >>>> >> Thanks. >> >> >> >>>> >> Kadri >> >> >> >>>> >> >> >> >> >>>> >> On Mon, May 2, 2011 at 3:44 PM, Karl Wright >> >> >> >>>> >> >> >> >> >>>> >> wrote: >> >> >> >>>> >>> >> >> >> >>>> >>> "NameNotFound exception is never being reached because >> >> >> >>>> >>> process >> >> >> >>>> >>> is >> >> >> >>>> >>> throwing internal exception, and this is never checked." >> >> >> >>>> >>> >> >> >> >>>> >>> I see the logging trace; it looks like the ldap code is >> >> >> >>>> >>> eating >> >> >> >>>> >>> the >> >> >> >>>> >>> exception and returning a blank list. =A0This is explicit= ly >> >> >> >>>> >>> NOT >> >> >> >>>> >>> what is >> >> >> >>>> >>> supposed to happen, nor did it happen on JDK 1.5, I am >> >> >> >>>> >>> certain. >> >> >> >>>> >>> =A0You >> >> >> >>>> >>> might find that this behavior has changed between Java >> >> >> >>>> >>> releases. >> >> >> >>>> >>> >> >> >> >>>> >>> "Also, what is the reason for adding everyone group for >> >> >> >>>> >>> each >> >> >> >>>> >>> response >> >> >> >>>> >>> ?" >> >> >> >>>> >>> >> >> >> >>>> >>> I added this in because the standard treatment of Active >> >> >> >>>> >>> Directory >> >> >> >>>> >>> 2000 and 2003 was to exclude the public ACL. =A0Since all >> >> >> >>>> >>> users >> >> >> >>>> >>> have it, >> >> >> >>>> >>> if the user exists (which was the case if NameNotFound >> >> >> >>>> >>> exception >> >> >> >>>> >>> was >> >> >> >>>> >>> not being thrown), it was always safe to add it in. >> >> >> >>>> >>> >> >> >> >>>> >>> >> >> >> >>>> >>> If JDK xxx, which is eating the internal exception, gives >> >> >> >>>> >>> back >> >> >> >>>> >>> SOME >> >> >> >>>> >>> signal that the user does not exist, we can certainly che= ck >> >> >> >>>> >>> for >> >> >> >>>> >>> that. >> >> >> >>>> >>> What signal do you recommend looking for, based on the >> >> >> >>>> >>> trace? >> >> >> >>>> >>> =A0Is >> >> >> >>>> >>> there any way to get at "errEx =A0 =A0PartialResultExcept= ion >> >> >> >>>> >>> =A0(id=3D7962) =A0" >> >> >> >>>> >>> from =A0NamingEnumeration answer? >> >> >> >>>> >>> >> >> >> >>>> >>> Karl >> >> >> >>>> >>> >> >> >> >>>> >>> >> >> >> >>>> >>> >> >> >> >>>> >>> On Mon, May 2, 2011 at 3:31 PM, Kadri Atalay >> >> >> >>>> >>> >> >> >> >>>> >>> wrote: >> >> >> >>>> >>> > Hi Karl, >> >> >> >>>> >>> > >> >> >> >>>> >>> > I noticed in the code that =A0 NameNotFound exception i= s >> >> >> >>>> >>> > never >> >> >> >>>> >>> > being >> >> >> >>>> >>> > reached >> >> >> >>>> >>> > because process is throwing internal exception, and thi= s >> >> >> >>>> >>> > is >> >> >> >>>> >>> > never >> >> >> >>>> >>> > checked. >> >> >> >>>> >>> > (see below) >> >> >> >>>> >>> > Also, what is the reason for adding everyone group for >> >> >> >>>> >>> > each >> >> >> >>>> >>> > response >> >> >> >>>> >>> > ? >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 theGroups.add("S-1-1-0"); >> >> >> >>>> >>> > >> >> >> >>>> >>> > When there is no groups or SID's returned, following >> >> >> >>>> >>> > return >> >> >> >>>> >>> > code is >> >> >> >>>> >>> > still >> >> >> >>>> >>> > used.. >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 return new >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > AuthorizationResponse(tokens,AuthorizationResponse.RESP= ONSE_OK); >> >> >> >>>> >>> > >> >> >> >>>> >>> > Should I assume this code was tested against an Active >> >> >> >>>> >>> > Directory, >> >> >> >>>> >>> > and >> >> >> >>>> >>> > working, and or should I start checking from the >> >> >> >>>> >>> > beginning >> >> >> >>>> >>> > every >> >> >> >>>> >>> > parameter >> >> >> >>>> >>> > is entered. (see below) >> >> >> >>>> >>> > For example, in the following code, DIGEST-MD5 GSSAPI i= s >> >> >> >>>> >>> > used >> >> >> >>>> >>> > for >> >> >> >>>> >>> > security >> >> >> >>>> >>> > authentication, but user name and password is passed as= a >> >> >> >>>> >>> > clear >> >> >> >>>> >>> > text.. >> >> >> >>>> >>> > and >> >> >> >>>> >>> > not in the format they suggest in their documentation. >> >> >> >>>> >>> > >> >> >> >>>> >>> > Thanks >> >> >> >>>> >>> > >> >> >> >>>> >>> > Kadri >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > http://download.oracle.com/javase/jndi/tutorial/ldap/se= curity/gssapi.html >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0 if (ctx =3D=3D null) >> >> >> >>>> >>> > =A0=A0=A0 { >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 // Calculate the ldap url first >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 String ldapURL =3D "ldap://" + domainCo= ntrollerName + >> >> >> >>>> >>> > ":389"; >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 Hashtable env =3D new Hashtable(); >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.l= dap.LdapCtxFactory"); >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 env.put(Context.SECURITY_AUTHENTICATION= ,"DIGEST-MD5 >> >> >> >>>> >>> > GSSAPI"); >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 env.put(Context.SECURITY_PRINCIPAL,user= Name); >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 env.put(Context.SECURITY_CREDENTIALS,pa= ssword); >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 //connect to my domain controller >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 env.put(Context.PROVIDER_URL,ldapURL); >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 //specify attributes to be returned in = binary >> >> >> >>>> >>> > format >> >> >> >>>> >>> > >> >> >> >>>> >>> > env.put("java.naming.ldap.attributes.binary","tokenGrou= ps >> >> >> >>>> >>> > objectSid"); >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > fakeuser@teqa >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0 //Search for objects using the filter >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 NamingEnumeration answer =3D ctx.search= (searchBase, >> >> >> >>>> >>> > searchFilter, >> >> >> >>>> >>> > searchCtls); >> >> >> >>>> >>> > >> >> >> >>>> >>> > answer=A0=A0=A0 LdapSearchEnumeration=A0 (id=3D6635) >> >> >> >>>> >>> > =A0=A0=A0 cleaned=A0=A0=A0 false >> >> >> >>>> >>> > =A0=A0=A0 cont=A0=A0=A0 Continuation=A0 (id=3D6674) >> >> >> >>>> >>> > =A0=A0=A0 entries=A0=A0=A0 Vector=A0 (id=3D6675) >> >> >> >>>> >>> > =A0=A0=A0 enumClnt=A0=A0=A0 LdapClient=A0 (id=3D6676) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 authenticateCalled=A0=A0=A0 true >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 conn=A0=A0=A0 Connection=A0 (id=3D6= 906) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 isLdapv3=A0=A0=A0 true >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 pcb=A0=A0=A0 null >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 pooled=A0=A0=A0 false >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 referenceCount=A0=A0=A0 1 >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 unsolicited=A0=A0=A0 Vector=A0 (= id=3D6907) >> >> >> >>>> >>> > =A0=A0=A0 errEx=A0=A0=A0 PartialResultException=A0 (id= =3D6677) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 cause=A0=A0=A0 PartialResultExcepti= on=A0 (id=3D6677) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 detailMessage=A0=A0=A0 "[LDAP: erro= r code 10 - >> >> >> >>>> >>> > 0000202B: >> >> >> >>>> >>> > RefErr: >> >> >> >>>> >>> > DSID-031006E0, data 0, 1 access points\n\tref 1: 'teqa'= \n >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 ArrayList theGroups =3D new ArrayList()= ; >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 // All users get certain well-known gro= ups >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 theGroups.add("S-1-1-0"); >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > answer=A0=A0=A0 LdapSearchEnumeration=A0 (id=3D7940) >> >> >> >>>> >>> > =A0=A0=A0 cleaned=A0=A0=A0 false >> >> >> >>>> >>> > =A0=A0=A0 cont=A0=A0=A0 Continuation=A0 (id=3D7959) >> >> >> >>>> >>> > =A0=A0=A0 entries=A0=A0=A0 Vector=A0 (id=3D7960) >> >> >> >>>> >>> > =A0=A0=A0 enumClnt=A0=A0=A0 LdapClient=A0 (id=3D7961) >> >> >> >>>> >>> > =A0=A0=A0 errEx=A0=A0=A0 PartialResultException=A0 (id= =3D7962) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 cause=A0=A0=A0 PartialResultExcepti= on=A0 (id=3D7962) >> >> >> >>>> >>> > =A0=A0=A0 =A0=A0=A0 detailMessage=A0=A0=A0 "[LDAP: erro= r code 10 - >> >> >> >>>> >>> > 0000202B: >> >> >> >>>> >>> > RefErr: >> >> >> >>>> >>> > DSID-031006E0, data 0, 1 access points\n\tref 1: 'teqa'= \n >> >> >> >>>> >>> > >> >> >> >>>> >>> > =A0=A0=A0=A0=A0 return new >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > AuthorizationResponse(tokens,AuthorizationResponse.RESP= ONSE_OK); >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > On Tue, Apr 26, 2011 at 12:54 PM, Karl Wright >> >> >> >>>> >>> > >> >> >> >>>> >>> > wrote: >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> If a completely unknown user still comes back as >> >> >> >>>> >>> >> existing, >> >> >> >>>> >>> >> then >> >> >> >>>> >>> >> it's >> >> >> >>>> >>> >> time to look at how your domain controller is >> >> >> >>>> >>> >> configured. >> >> >> >>>> >>> >> Specifically, what do you have it configured to trust? >> >> >> >>>> >>> >> =A0What >> >> >> >>>> >>> >> version >> >> >> >>>> >>> >> of Windows is this? >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> The way LDAP tells you a user does not exist in Java i= s >> >> >> >>>> >>> >> by >> >> >> >>>> >>> >> an >> >> >> >>>> >>> >> exception. =A0So this statement: >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> =A0 =A0 =A0NamingEnumeration answer =3D ctx.search(sea= rchBase, >> >> >> >>>> >>> >> searchFilter, >> >> >> >>>> >>> >> searchCtls); >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> will throw the NameNotFoundException if the name doesn= 't >> >> >> >>>> >>> >> exist, >> >> >> >>>> >>> >> which >> >> >> >>>> >>> >> the Active Directory connector then catches: >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> =A0 =A0catch (NameNotFoundException e) >> >> >> >>>> >>> >> =A0 =A0{ >> >> >> >>>> >>> >> =A0 =A0 =A0// This means that the user doesn't exist >> >> >> >>>> >>> >> =A0 =A0 =A0return userNotFoundResponse; >> >> >> >>>> >>> >> =A0 =A0} >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> Clearly this is not working at all for your setup. >> >> >> >>>> >>> >> =A0Maybe >> >> >> >>>> >>> >> you >> >> >> >>>> >>> >> can >> >> >> >>>> >>> >> look >> >> >> >>>> >>> >> at the DC's event logs, and see what kinds of decision= s >> >> >> >>>> >>> >> it >> >> >> >>>> >>> >> is >> >> >> >>>> >>> >> making >> >> >> >>>> >>> >> here? =A0It's not making much sense to me at this poin= t. >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> Karl >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> On Tue, Apr 26, 2011 at 12:45 PM, Kadri Atalay >> >> >> >>>> >>> >> >> >> >> >>>> >>> >> wrote: >> >> >> >>>> >>> >> > Get the same result with user doesn't exist >> >> >> >>>> >>> >> > C:\OPT\security_example>curl >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > "http://localhost:8345/mcf-authority-service/UserACL= s?username=3Dfakeuser@fakedomain" >> >> >> >>>> >>> >> > AUTHORIZED:TEQA-DC >> >> >> >>>> >>> >> > TOKEN:TEQA-DC:S-1-1-0 >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > BTW, is there a command to get all users available i= n >> >> >> >>>> >>> >> > Active >> >> >> >>>> >>> >> > Directory, >> >> >> >>>> >>> >> > from >> >> >> >>>> >>> >> > mcf-authority service, or other test commands to see >> >> >> >>>> >>> >> > if >> >> >> >>>> >>> >> > it's >> >> >> >>>> >>> >> > working >> >> >> >>>> >>> >> > correctly ? >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > Also, I set the logging level to finest from Solr >> >> >> >>>> >>> >> > Admin >> >> >> >>>> >>> >> > for >> >> >> >>>> >>> >> > ManifoldCFSecurityFilter,but I don't see any logs >> >> >> >>>> >>> >> > created.. >> >> >> >>>> >>> >> > Is >> >> >> >>>> >>> >> > there >> >> >> >>>> >>> >> > any >> >> >> >>>> >>> >> > other settings need to be tweaked ? >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > Thanks >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > Kadri >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > On Tue, Apr 26, 2011 at 12:38 PM, Karl Wright >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > wrote: >> >> >> >>>> >>> >> >> >> >> >> >>>> >>> >> >> One other quick note. =A0You might want to try a us= er >> >> >> >>>> >>> >> >> that >> >> >> >>>> >>> >> >> doesn't >> >> >> >>>> >>> >> >> exist >> >> >> >>>> >>> >> >> and see what you get. =A0It should be a USERNOTFOUN= D >> >> >> >>>> >>> >> >> response. >> >> >> >>>> >>> >> >> >> >> >> >>>> >>> >> >> If that's indeed what you get back, then this is a >> >> >> >>>> >>> >> >> relatively >> >> >> >>>> >>> >> >> minor >> >> >> >>>> >>> >> >> issue with Active Directory. =A0Basically the S-1-1= -0 >> >> >> >>>> >>> >> >> SID >> >> >> >>>> >>> >> >> is >> >> >> >>>> >>> >> >> added >> >> >> >>>> >>> >> >> by >> >> >> >>>> >>> >> >> the active directory authority, so the DC is actual= ly >> >> >> >>>> >>> >> >> returning >> >> >> >>>> >>> >> >> an >> >> >> >>>> >>> >> >> empty list of SIDs for the user with an unknown >> >> >> >>>> >>> >> >> domain. >> >> >> >>>> >>> >> >> =A0It >> >> >> >>>> >>> >> >> *should* >> >> >> >>>> >>> >> >> tell us the user doesn't exist, I agree, but that's >> >> >> >>>> >>> >> >> clearly >> >> >> >>>> >>> >> >> a >> >> >> >>>> >>> >> >> problem >> >> >> >>>> >>> >> >> only Active Directory can solve; we can't make that >> >> >> >>>> >>> >> >> decision in >> >> >> >>>> >>> >> >> the >> >> >> >>>> >>> >> >> active directory connector because the DC may be ju= st >> >> >> >>>> >>> >> >> one >> >> >> >>>> >>> >> >> node >> >> >> >>>> >>> >> >> in a >> >> >> >>>> >>> >> >> hierarchy. =A0Perhaps there's a Microsoft >> >> >> >>>> >>> >> >> knowledge-base >> >> >> >>>> >>> >> >> article >> >> >> >>>> >>> >> >> that >> >> >> >>>> >>> >> >> would clarify things further. >> >> >> >>>> >>> >> >> >> >> >> >>>> >>> >> >> Please let me know what you find. >> >> >> >>>> >>> >> >> Karl >> >> >> >>>> >>> >> >> >> >> >> >>>> >>> >> >> On Tue, Apr 26, 2011 at 12:27 PM, Karl Wright >> >> >> >>>> >>> >> >> >> >> >> >>>> >>> >> >> wrote: >> >> >> >>>> >>> >> >> > The method code from the Active Directory authori= ty >> >> >> >>>> >>> >> >> > that >> >> >> >>>> >>> >> >> > handles >> >> >> >>>> >>> >> >> > the >> >> >> >>>> >>> >> >> > LDAP query construction is below. =A0It looks >> >> >> >>>> >>> >> >> > perfectly >> >> >> >>>> >>> >> >> > reasonable >> >> >> >>>> >>> >> >> > to >> >> >> >>>> >>> >> >> > me: >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > =A0/** Parse a user name into an ldap search base= . */ >> >> >> >>>> >>> >> >> > =A0protected static String parseUser(String userN= ame) >> >> >> >>>> >>> >> >> > =A0 =A0throws ManifoldCFException >> >> >> >>>> >>> >> >> > =A0{ >> >> >> >>>> >>> >> >> > =A0 =A0//String searchBase =3D >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > "CN=3DAdministrator,CN=3DUsers,DC=3Dqa-ad-76,DC= =3Dmetacarta,DC=3Dcom"; >> >> >> >>>> >>> >> >> > =A0 =A0int index =3D userName.indexOf("@"); >> >> >> >>>> >>> >> >> > =A0 =A0if (index =3D=3D -1) >> >> >> >>>> >>> >> >> > =A0 =A0 =A0throw new ManifoldCFException("Usernam= e is in >> >> >> >>>> >>> >> >> > unexpected >> >> >> >>>> >>> >> >> > form >> >> >> >>>> >>> >> >> > (no @): '"+userName+"'"); >> >> >> >>>> >>> >> >> > =A0 =A0String userPart =3D userName.substring(0,i= ndex); >> >> >> >>>> >>> >> >> > =A0 =A0String domainPart =3D userName.substring(i= ndex+1); >> >> >> >>>> >>> >> >> > =A0 =A0// Start the search base assembly >> >> >> >>>> >>> >> >> > =A0 =A0StringBuffer sb =3D new StringBuffer(); >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > =A0sb.append("CN=3D").append(userPart).append(",C= N=3DUsers"); >> >> >> >>>> >>> >> >> > =A0 =A0int j =3D 0; >> >> >> >>>> >>> >> >> > =A0 =A0while (true) >> >> >> >>>> >>> >> >> > =A0 =A0{ >> >> >> >>>> >>> >> >> > =A0 =A0 =A0int k =3D domainPart.indexOf(".",j); >> >> >> >>>> >>> >> >> > =A0 =A0 =A0if (k =3D=3D -1) >> >> >> >>>> >>> >> >> > =A0 =A0 =A0{ >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > =A0sb.append(",DC=3D").append(domainPart.substrin= g(j)); >> >> >> >>>> >>> >> >> > =A0 =A0 =A0 =A0break; >> >> >> >>>> >>> >> >> > =A0 =A0 =A0} >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > =A0sb.append(",DC=3D").append(domainPart.substrin= g(j,k)); >> >> >> >>>> >>> >> >> > =A0 =A0 =A0j =3D k+1; >> >> >> >>>> >>> >> >> > =A0 =A0} >> >> >> >>>> >>> >> >> > =A0 =A0return sb.toString(); >> >> >> >>>> >>> >> >> > =A0} >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > So I have to conclude that your Active Directory >> >> >> >>>> >>> >> >> > domain >> >> >> >>>> >>> >> >> > controller >> >> >> >>>> >>> >> >> > is >> >> >> >>>> >>> >> >> > simply not caring what the DC=3D fields are, for = some >> >> >> >>>> >>> >> >> > reason. >> >> >> >>>> >>> >> >> > =A0No >> >> >> >>>> >>> >> >> > idea >> >> >> >>>> >>> >> >> > why. >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > If you want to confirm this picture, you might wa= nt >> >> >> >>>> >>> >> >> > to >> >> >> >>>> >>> >> >> > create >> >> >> >>>> >>> >> >> > a >> >> >> >>>> >>> >> >> > patch >> >> >> >>>> >>> >> >> > to add some Logging.authorityConnectors.debug >> >> >> >>>> >>> >> >> > statements >> >> >> >>>> >>> >> >> > at >> >> >> >>>> >>> >> >> > appropriate places so we can see the actual query >> >> >> >>>> >>> >> >> > it's >> >> >> >>>> >>> >> >> > sending >> >> >> >>>> >>> >> >> > to >> >> >> >>>> >>> >> >> > LDAP. =A0I'm happy to commit this debug output pa= tch >> >> >> >>>> >>> >> >> > eventually >> >> >> >>>> >>> >> >> > if >> >> >> >>>> >>> >> >> > you >> >> >> >>>> >>> >> >> > also want to create a ticket. >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > Thanks, >> >> >> >>>> >>> >> >> > Karl >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > On Tue, Apr 26, 2011 at 12:17 PM, Kadri Atalay >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> >> > wrote: >> >> >> >>>> >>> >> >> >> Yes, ManifoldCF is running with JCIFS connector, >> >> >> >>>> >>> >> >> >> and >> >> >> >>>> >>> >> >> >> using >> >> >> >>>> >>> >> >> >> Solr >> >> >> >>>> >>> >> >> >> 3.1 >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> response to first call: >> >> >> >>>> >>> >> >> >> C:\OPT\security_example>curl >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> "http://localhost:8345/mcf-authority-service/Use= rACLs?username=3Djoe" >> >> >> >>>> >>> >> >> >> UNREACHABLEAUTHORITY:TEQA-DC >> >> >> >>>> >>> >> >> >> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> response to fake domain call: >> >> >> >>>> >>> >> >> >> C:\OPT\security_example>curl >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> "http://localhost:8345/mcf-authority-service/Use= rACLs?username=3Djoe@fakedomain" >> >> >> >>>> >>> >> >> >> AUTHORIZED:TEQA-DC >> >> >> >>>> >>> >> >> >> TOKEN:TEQA-DC:S-1-1-0 >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> response to actual domain account call: >> >> >> >>>> >>> >> >> >> C:\OPT\security_example>curl >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> "http://localhost:8345/mcf-authority-service/Use= rACLs?username=3Dkatalay_admin@teqa" >> >> >> >>>> >>> >> >> >> AUTHORIZED:TEQA-DC >> >> >> >>>> >>> >> >> >> TOKEN:TEQA-DC:S-1-1-0 >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> Looks like as long as there is a domain suffix, >> >> >> >>>> >>> >> >> >> return >> >> >> >>>> >>> >> >> >> is >> >> >> >>>> >>> >> >> >> positive.. >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> Thanks >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> Kadri >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> On Tue, Apr 26, 2011 at 12:10 PM, Karl Wright >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> wrote: >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> So you are trying to extend the example in the >> >> >> >>>> >>> >> >> >>> book, >> >> >> >>>> >>> >> >> >>> correct, to >> >> >> >>>> >>> >> >> >>> run >> >> >> >>>> >>> >> >> >>> against active directory and the JCIFS connecto= r? >> >> >> >>>> >>> >> >> >>> =A0And >> >> >> >>>> >>> >> >> >>> this >> >> >> >>>> >>> >> >> >>> is >> >> >> >>>> >>> >> >> >>> with >> >> >> >>>> >>> >> >> >>> Solr 3.1? >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> The book was written for Solr 1.4.1, so it's >> >> >> >>>> >>> >> >> >>> entirely >> >> >> >>>> >>> >> >> >>> possible >> >> >> >>>> >>> >> >> >>> that >> >> >> >>>> >>> >> >> >>> something in Solr changed in relation to the wa= y >> >> >> >>>> >>> >> >> >>> search >> >> >> >>>> >>> >> >> >>> components >> >> >> >>>> >>> >> >> >>> are >> >> >> >>>> >>> >> >> >>> used. =A0So I think we're going to need to do s= ome >> >> >> >>>> >>> >> >> >>> debugging. >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> (1) First, to confirm sanity, try using curl >> >> >> >>>> >>> >> >> >>> against >> >> >> >>>> >>> >> >> >>> the mcf >> >> >> >>>> >>> >> >> >>> authority >> >> >> >>>> >>> >> >> >>> service. =A0Try some combination of users to se= e >> >> >> >>>> >>> >> >> >>> how >> >> >> >>>> >>> >> >> >>> that >> >> >> >>>> >>> >> >> >>> works, >> >> >> >>>> >>> >> >> >>> e.g.: >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> curl >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> "http://localhost:8345/mcf-authority-service/Us= erACLs?username=3Djoe" >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> ...and >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> curl >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> "http://localhost:8345/mcf-authority-service/Us= erACLs?username=3Djoe@fakedomain" >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> ...and also the real domain name, whatever that >> >> >> >>>> >>> >> >> >>> is. >> >> >> >>>> >>> >> >> >>> =A0See if >> >> >> >>>> >>> >> >> >>> the >> >> >> >>>> >>> >> >> >>> access >> >> >> >>>> >>> >> >> >>> tokens that come back look correct. =A0If they >> >> >> >>>> >>> >> >> >>> don't >> >> >> >>>> >>> >> >> >>> then >> >> >> >>>> >>> >> >> >>> we >> >> >> >>>> >>> >> >> >>> know >> >> >> >>>> >>> >> >> >>> where >> >> >> >>>> >>> >> >> >>> there's an issue. >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> If they *are* correct, let me know and we'll go >> >> >> >>>> >>> >> >> >>> to >> >> >> >>>> >>> >> >> >>> the >> >> >> >>>> >>> >> >> >>> next >> >> >> >>>> >>> >> >> >>> stage, >> >> >> >>>> >>> >> >> >>> which would be to make sure the authority servi= ce >> >> >> >>>> >>> >> >> >>> is >> >> >> >>>> >>> >> >> >>> actually >> >> >> >>>> >>> >> >> >>> getting >> >> >> >>>> >>> >> >> >>> called and the proper query is being built and >> >> >> >>>> >>> >> >> >>> run >> >> >> >>>> >>> >> >> >>> under >> >> >> >>>> >>> >> >> >>> Solr >> >> >> >>>> >>> >> >> >>> 3.1. >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> Thanks, >> >> >> >>>> >>> >> >> >>> Karl >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> On Tue, Apr 26, 2011 at 11:59 AM, Kadri Atalay >> >> >> >>>> >>> >> >> >>> >> >> >> >>>> >>> >> >> >>> wrote: >> >> >> >>>> >>> >> >> >>> > Hi Karl, >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > I followed the instructions, and for testing >> >> >> >>>> >>> >> >> >>> > purposes >> >> >> >>>> >>> >> >> >>> > set >> >> >> >>>> >>> >> >> >>> > "stored=3Dtrue" >> >> >> >>>> >>> >> >> >>> > to >> >> >> >>>> >>> >> >> >>> > be able to see the ACL values stored in Solr. >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > But, when I run the search in following forma= t >> >> >> >>>> >>> >> >> >>> > I >> >> >> >>>> >>> >> >> >>> > get >> >> >> >>>> >>> >> >> >>> > peculiar >> >> >> >>>> >>> >> >> >>> > results.. >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > :http://10.1.200.155:8080/solr/select/?q=3D*%= 3A*&AuthenticatedUserName=3Dusername >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > Any user name without a domain name=A0 ie >> >> >> >>>> >>> >> >> >>> > AuthenticatedUserName=3Djoe >> >> >> >>>> >>> >> >> >>> > does >> >> >> >>>> >>> >> >> >>> > not >> >> >> >>>> >>> >> >> >>> > return any results (which is correct) >> >> >> >>>> >>> >> >> >>> > But any user name with ANY domain name return= s >> >> >> >>>> >>> >> >> >>> > all >> >> >> >>>> >>> >> >> >>> > the >> >> >> >>>> >>> >> >> >>> > indexes >> >> >> >>>> >>> >> >> >>> > ie >> >> >> >>>> >>> >> >> >>> > AuthenticatedUserName=3Djoe@fakedomain=A0=A0 = (which >> >> >> >>>> >>> >> >> >>> > is >> >> >> >>>> >>> >> >> >>> > not >> >> >> >>>> >>> >> >> >>> > correct) >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > Any thoughts ? >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > Thanks >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > Kadri >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > On Sun, Apr 24, 2011 at 7:08 PM, Karl Wright >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > wrote: >> >> >> >>>> >>> >> >> >>> >> >> >> >> >>>> >>> >> >> >>> >> Solr 3.1 is being clever here; it's seeing >> >> >> >>>> >>> >> >> >>> >> arguments >> >> >> >>>> >>> >> >> >>> >> coming >> >> >> >>>> >>> >> >> >>> >> in >> >> >> >>>> >>> >> >> >>> >> that >> >> >> >>>> >>> >> >> >>> >> do >> >> >> >>>> >>> >> >> >>> >> not correspond to known schema fields, and >> >> >> >>>> >>> >> >> >>> >> presuming >> >> >> >>>> >>> >> >> >>> >> they >> >> >> >>>> >>> >> >> >>> >> are >> >> >> >>>> >>> >> >> >>> >> "automatic" fields. =A0So when the schema is >> >> >> >>>> >>> >> >> >>> >> unmodified, >> >> >> >>>> >>> >> >> >>> >> you >> >> >> >>>> >>> >> >> >>> >> see >> >> >> >>>> >>> >> >> >>> >> these >> >> >> >>>> >>> >> >> >>> >> fields that Solr creates for you, with the >> >> >> >>>> >>> >> >> >>> >> attr_ >> >> >> >>>> >>> >> >> >>> >> prefix. >> >> >> >>>> >>> >> >> >>> >> =A0They >> >> >> >>>> >>> >> >> >>> >> are >> >> >> >>>> >>> >> >> >>> >> created as being "stored", which is not good >> >> >> >>>> >>> >> >> >>> >> for >> >> >> >>>> >>> >> >> >>> >> access >> >> >> >>>> >>> >> >> >>> >> tokens >> >> >> >>>> >>> >> >> >>> >> since >> >> >> >>>> >>> >> >> >>> >> then you will see them in the response. =A0I >> >> >> >>>> >>> >> >> >>> >> don't >> >> >> >>>> >>> >> >> >>> >> know if >> >> >> >>>> >>> >> >> >>> >> they >> >> >> >>>> >>> >> >> >>> >> are >> >> >> >>>> >>> >> >> >>> >> indexed or not, but I imagine not, which is >> >> >> >>>> >>> >> >> >>> >> also >> >> >> >>>> >>> >> >> >>> >> not >> >> >> >>>> >>> >> >> >>> >> good. >> >> >> >>>> >>> >> >> >>> >> >> >> >> >>>> >>> >> >> >>> >> So following the instructions is still the >> >> >> >>>> >>> >> >> >>> >> right >> >> >> >>>> >>> >> >> >>> >> thing to >> >> >> >>>> >>> >> >> >>> >> do, >> >> >> >>>> >>> >> >> >>> >> I >> >> >> >>>> >>> >> >> >>> >> would >> >> >> >>>> >>> >> >> >>> >> say. >> >> >> >>>> >>> >> >> >>> >> >> >> >> >>>> >>> >> >> >>> >> Karl >> >> >> >>>> >>> >> >> >>> >> >> >> >> >>>> >>> >> >> >>> >> On Fri, Apr 22, 2011 at 3:24 PM, Kadri Atala= y >> >> >> >>>> >>> >> >> >>> >> >> >> >> >>>> >>> >> >> >>> >> wrote: >> >> >> >>>> >>> >> >> >>> >> > Hi Karl, >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > There is one thing I noticed while followi= ng >> >> >> >>>> >>> >> >> >>> >> > the >> >> >> >>>> >>> >> >> >>> >> > example in >> >> >> >>>> >>> >> >> >>> >> > chapter >> >> >> >>>> >>> >> >> >>> >> > 4.: >> >> >> >>>> >>> >> >> >>> >> > Prior to making any changes into the >> >> >> >>>> >>> >> >> >>> >> > schema.xml, I >> >> >> >>>> >>> >> >> >>> >> > was >> >> >> >>>> >>> >> >> >>> >> > able >> >> >> >>>> >>> >> >> >>> >> > to >> >> >> >>>> >>> >> >> >>> >> > see >> >> >> >>>> >>> >> >> >>> >> > the >> >> >> >>>> >>> >> >> >>> >> > following security information in query >> >> >> >>>> >>> >> >> >>> >> > responses: >> >> >> >>>> >>> >> >> >>> >> > ie: >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > - >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-3-0 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-13 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-18 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-32-544 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-32-545 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-32-547 >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > - >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-1-0 >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-2 >> >> >> >>>> >>> >> >> >>> >> > - >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > TEQA-DC:S-1-5-21-1212545812-2858578934-356= 3067286-1480 >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > - >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > - >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0Autonomy ODBC >> >> >> >>>> >>> >> >> >>> >> > Fetch >> >> >> >>>> >>> >> >> >>> >> > Technical >> >> >> >>>> >>> >> >> >>> >> > Brief >> >> >> >>>> >>> >> >> >>> >> > 0506 >> >> >> >>>> >>> >> >> >>> >> > Technical Brief >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > But, after I modified the schema/xml, and >> >> >> >>>> >>> >> >> >>> >> > added >> >> >> >>>> >>> >> >> >>> >> > the >> >> >> >>>> >>> >> >> >>> >> > following >> >> >> >>>> >>> >> >> >>> >> > fields, >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 > >> >> >>>> >>> >> >> >>> >> > type=3D"string" >> >> >> >>>> >>> >> >> >>> >> > indexed=3D"true" >> >> >> >>>> >>> >> >> >>> >> > stored=3D"false" multiValued=3D"true"/> >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 > >> >> >>>> >>> >> >> >>> >> > type=3D"string" >> >> >> >>>> >>> >> >> >>> >> > indexed=3D"true" >> >> >> >>>> >>> >> >> >>> >> > stored=3D"false" multiValued=3D"true"/> >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 > >> >> >>>> >>> >> >> >>> >> > type=3D"string" >> >> >> >>>> >>> >> >> >>> >> > indexed=3D"true" >> >> >> >>>> >>> >> >> >>> >> > stored=3D"false" multiValued=3D"true"/> >> >> >> >>>> >>> >> >> >>> >> > =A0 =A0 > >> >> >>>> >>> >> >> >>> >> > type=3D"string" >> >> >> >>>> >>> >> >> >>> >> > indexed=3D"true" >> >> >> >>>> >>> >> >> >>> >> > stored=3D"false" multiValued=3D"true"/> >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > I longer see neither the >> >> >> >>>> >>> >> >> >>> >> > attr_allow_token_document >> >> >> >>>> >>> >> >> >>> >> > =A0 or >> >> >> >>>> >>> >> >> >>> >> > the >> >> >> >>>> >>> >> >> >>> >> > allow_token_document fields.. >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > Since same fields exist with attr_ =A0pref= ix, >> >> >> >>>> >>> >> >> >>> >> > should >> >> >> >>>> >>> >> >> >>> >> > we >> >> >> >>>> >>> >> >> >>> >> > need >> >> >> >>>> >>> >> >> >>> >> > to >> >> >> >>>> >>> >> >> >>> >> > add >> >> >> >>>> >>> >> >> >>> >> > these >> >> >> >>>> >>> >> >> >>> >> > new >> >> >> >>>> >>> >> >> >>> >> > field names into the schema file, or can w= e >> >> >> >>>> >>> >> >> >>> >> > simply >> >> >> >>>> >>> >> >> >>> >> > change >> >> >> >>>> >>> >> >> >>> >> > ManifoldSecurity >> >> >> >>>> >>> >> >> >>> >> > to use attr_ fields ? >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > Also, when Solr is running under Tomcat, I >> >> >> >>>> >>> >> >> >>> >> > have >> >> >> >>>> >>> >> >> >>> >> > to >> >> >> >>>> >>> >> >> >>> >> > re-start >> >> >> >>>> >>> >> >> >>> >> > the >> >> >> >>>> >>> >> >> >>> >> > Solr >> >> >> >>>> >>> >> >> >>> >> > App, or >> >> >> >>>> >>> >> >> >>> >> > re-start Tomcat to see the newly added >> >> >> >>>> >>> >> >> >>> >> > indexes.. >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > Any thoughts ? >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > Thanks >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > Kadri >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > On Fri, Apr 22, 2011 at 12:53 PM, Karl >> >> >> >>>> >>> >> >> >>> >> > Wright >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > wrote: >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> I don't believe Solr has yet officially >> >> >> >>>> >>> >> >> >>> >> >> released >> >> >> >>>> >>> >> >> >>> >> >> document >> >> >> >>>> >>> >> >> >>> >> >> access >> >> >> >>>> >>> >> >> >>> >> >> control, so you will need to use the patc= h >> >> >> >>>> >>> >> >> >>> >> >> for >> >> >> >>>> >>> >> >> >>> >> >> ticket >> >> >> >>>> >>> >> >> >>> >> >> 1895. >> >> >> >>>> >>> >> >> >>> >> >> Alternatively, the ManifoldCF in Action >> >> >> >>>> >>> >> >> >>> >> >> chapter 4 >> >> >> >>>> >>> >> >> >>> >> >> example >> >> >> >>>> >>> >> >> >>> >> >> has >> >> >> >>>> >>> >> >> >>> >> >> an >> >> >> >>>> >>> >> >> >>> >> >> implementation based on this ticket. =A0Y= ou >> >> >> >>>> >>> >> >> >>> >> >> can >> >> >> >>>> >>> >> >> >>> >> >> get >> >> >> >>>> >>> >> >> >>> >> >> the >> >> >> >>>> >>> >> >> >>> >> >> code >> >> >> >>>> >>> >> >> >>> >> >> for >> >> >> >>>> >>> >> >> >>> >> >> it at >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> https://manifoldcfinaction.googlecode.com= /svn/trunk/edition_1/security_example. >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> Thanks, >> >> >> >>>> >>> >> >> >>> >> >> Karl >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> On Fri, Apr 22, 2011 at 11:45 AM, Kadri >> >> >> >>>> >>> >> >> >>> >> >> Atalay >> >> >> >>>> >>> >> >> >>> >> >> >> >> >> >>>> >>> >> >> >>> >> >> wrote: >> >> >> >>>> >>> >> >> >>> >> >> > Hello, >> >> >> >>>> >>> >> >> >>> >> >> > >> >> >> >>>> >>> >> >> >>> >> >> > Does anyone know which version of Solr >> >> >> >>>> >>> >> >> >>> >> >> > have >> >> >> >>>> >>> >> >> >>> >> >> > implements >> >> >> >>>> >>> >> >> >>> >> >> > the >> >> >> >>>> >>> >> >> >>> >> >> > Document >> >> >> >>>> >>> >> >> >>> >> >> > Level >> >> >> >>>> >>> >> >> >>> >> >> > Access Control, or has it implemented >> >> >> >>>> >>> >> >> >>> >> >> > (partially or >> >> >> >>>> >>> >> >> >>> >> >> > fully) >> >> >> >>>> >>> >> >> >>> >> >> > ? >> >> >> >>>> >>> >> >> >>> >> >> > Particularly issue #s 1834, 1872, 1895 >> >> >> >>>> >>> >> >> >>> >> >> > >> >> >> >>>> >>> >> >> >>> >> >> > Thanks >> >> >> >>>> >>> >> >> >>> >> >> > >> >> >> >>>> >>> >> >> >>> >> >> > Kadri >> >> >> >>>> >>> >> >> >>> >> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> >> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >>> > >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> >> >> >> >> >>>> >>> >> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> >> > >> >> >> >>>> >>> > >> >> >> >>>> >>> > >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> > >> >> >> >>> >> >> >> >>> >> >> >> >> >> >> >> > >> >> > >> >> > >> > >> > > >