Return-Path: X-Original-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-connectors-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 230F844CB for ; Mon, 9 May 2011 21:46:18 +0000 (UTC) Received: (qmail 59190 invoked by uid 500); 9 May 2011 21:46:18 -0000 Delivered-To: apmail-incubator-connectors-user-archive@incubator.apache.org Received: (qmail 59127 invoked by uid 500); 9 May 2011 21:46:18 -0000 Mailing-List: contact connectors-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: connectors-user@incubator.apache.org Delivered-To: mailing list connectors-user@incubator.apache.org Received: (qmail 59119 invoked by uid 99); 9 May 2011 21:46:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 May 2011 21:46:18 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SINGLE_HEADER_2K,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of daddywri@gmail.com designates 209.85.216.47 as permitted sender) Received: from [209.85.216.47] (HELO mail-qw0-f47.google.com) (209.85.216.47) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 May 2011 21:46:09 +0000 Received: by qwh5 with SMTP id 5so3684921qwh.6 for ; Mon, 09 May 2011 14:45:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=rpQV3AGj2EPyr/7ZXRryxmf/iu3HFO2vBPc3GJt7XvA=; b=CpmKaMiXaIz4EcDKrv2lZ/67iTgqcgwbM/5sqKfO30FM0DPT0/w72n3ZCk4Hx2ReJG w/vhuvlfs6lq62hsgu6F3UOC52+7cRCsn2RKUa6yfHBFU4H8JvEcWvYfmYqZBA2i+D6b zbD9l42ZHf8VAd300FZhJBdQu04ukcP/qvQDQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=KmPzJf2XP3kREyM8sV3aeOEzwZXXf8th50eBT0TG47RbqTZfUpT65GvUUNMfDoWC1r 7vGyTNkE7GsrV+nG3WDhe+9AIp5kH7HQ1xf2WdclpYoPsIeCLgfFpNDJ7r+HyW3Pmm7U q0dI/tKqIWtWr7d9vpRdTSeAnxI9Ty0NX0+ng= MIME-Version: 1.0 Received: by 10.229.105.132 with SMTP id t4mr5508584qco.42.1304977548366; Mon, 09 May 2011 14:45:48 -0700 (PDT) Received: by 10.229.79.75 with HTTP; Mon, 9 May 2011 14:45:48 -0700 (PDT) In-Reply-To: References: <87CD58B6-5C0E-4E89-97E8-0D0668F3FB97@gmail.com> Date: Mon, 9 May 2011 17:45:48 -0400 Message-ID: Subject: Re: Which version of Solr have implements the Document Level Access Control From: Karl Wright To: connectors-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Shinichiro submitted a patch based on simply selecting which field to use, and that was committed earlier today. But thanks anyway! Karl On Mon, May 9, 2011 at 4:47 PM, Kadri Atalay wrote= : > Hi Karl, > > sAMAccountName holds the logon name upto 20 chars, and userPrincipalName > holds the logon name upto 256 (including domain name). > > I made changes to accomodate both cases:=A0 Please see attached file: > > We can resolve this issue by making 2 calls to getDistinguishedName metho= d > using different attributes. > First call is with sAMAccountName (supports only up to 20 chars) > If that fails, we can call again using userPrincipalName, up to 256 chars= . > > Configuration may be used if we don't want to make 2 calls for performanc= e > reasons. > > =A0=A0=A0 //Get DistinguishedName (for this method we are using DomainPar= t as a > searchBase ie: DC=3Dqa-ad-76,DC=3Dmetacarta,DC=3Dcom") > =A0=A0=A0 //First call is for logon-name limited to 20 chars used with > sAMAccountName > =A0=A0=A0 String userDN =3D getDistinguishedName(userPart, domainsb.toStr= ing(), > "sAMAccountName" ); > > =A0=A0=A0 //Second call is for logon-name NOT limited to 20 chars used wi= th > userPrincipalName > =A0=A0=A0 if (userDN =3D=3D null) > =A0=A0=A0 =A0=A0=A0 userDN =3D getDistinguishedName(userName, domainsb.to= String(), > "userPrincipalName"); > =A0=A0=A0 return userDN; > > Following is the test results: > > Thanks > > Kadri > > > C:\OPT>echo follOWING users are the same > > username 25 characters long > > C:\OPT>curl > "http://localhost:8345/mcf-authority-service/UserACLs?username=3D12345678= 90123456789012345@teqa.filetek.com" > AUTHORIZED:TEQA-DC > TOKEN:TEQA-DC:S-1-5-32-545 > TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 > TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627 > TOKEN:TEQA-DC:S-1-1-0 > > username 20 characters long > > C:\OPT>curl > "http://localhost:8345/mcf-authority-service/UserACLs?username=3D12345678= 901234567890@teqa.filetek.com" > AUTHORIZED:TEQA-DC > TOKEN:TEQA-DC:S-1-5-32-545 > TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 > TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-2627 > TOKEN:TEQA-DC:S-1-1-0 > > C:\OPT> > > On Sun, May 8, 2011 at 10:19 AM, Karl Wright wrote: >> >> This looked very good, so I committed it as-is. =A0It does, however, >> invalidate Shinichiro's earlier patch for CONNECTORS-197. =A0Would you >> know what the login id field would be if the active directory instance >> does not have sAMAccountName? =A0Is it uid? >> >> Karl >> >> On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay >> wrote: >> > Hi Karl, >> > >> > While looking over AD access and attributes, I found that >> > "distinguishedName" >> > attribute contains all the information we need for TokenGroups search, >> > in >> > the correct format ie: >> > "CN=3DAdministrator,CN=3DUsers,DC=3Dqa-ad-76,DC=3Dmetacarta,DC=3Dcom"; >> > and by using this attribute instead of CN, we don't need to build the >> > searchbase ourselves. >> > >> > There are 2 advantages of using this attribute: >> > 1- Even if the user is not part of users group (whatever the reason >> > maybe) >> > we still get the results back, because his information is included in >> > the >> > "distinguishedName" attribute. >> > 2- We don't need to do treat any special characters like comma, etc.. >> > (it's >> > already formatted). >> > >> > I tested the code it works. Please see attached for the latest. >> > >> > Thanks >> > >> > Kadri >> > >> > Following is no longer needed: >> > =A0=A0=A0 StringBuffer sb =3D new StringBuffer(); >> > =A0=A0=A0 sb.append("CN=3D").append(ldapEscape(userCN)).append(",CN=3D= Users,"); >> > =A0=A0=A0 sb.append(domainsb); >> > >> > >> > >> > >> > >> > On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay >> > wrote: >> >> >> >> Hi Karl, >> >> >> >> Tested, and it's working. >> >> >> >> Thanks! >> >> >> >> Kadri >> >> >> >> >> >> On Thu, May 5, 2011 at 7:29 PM, Karl Wright wrot= e: >> >>> >> >>> I think yours was working because it was returning "cn=3Dnull, >> >>> cn=3Dusers", which was a result of the fact that cn was null and the >> >>> expression was assembled using the "+" operator. =A0When I separated= the >> >>> ldap escape out, it caused a null pointer exception to be thrown >> >>> instead. =A0It should be fixed now. >> >>> >> >>> Karl >> >>> >> >>> >> >>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay >> >>> wrote: >> >>> > Fyi. The file I sent you was returning usernotfound. >> >>> > >> >>> > >> >>> > Sent from my iPhone >> >>> > >> >>> > On May 5, 2011, at 7:12 PM, Karl Wright wrote= : >> >>> > >> >>> >> It must mean we're somehow throwing an exception in the case wher= e >> >>> >> the >> >>> >> user is missing. =A0I bet I know why - the CN lookup is failing >> >>> >> instead. >> >>> >> I'll see if I can change it. >> >>> >> >> >>> >> Karl >> >>> >> >> >>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay >> >>> >> >> >>> >> wrote: >> >>> >>> It works, only difference I see with previous one is: if a domai= n >> >>> >>> is >> >>> >>> reachable, message usernotfound makes a better indicator, someho= w >> >>> >>> we >> >>> >>> lost >> >>> >>> that. >> >>> >>> >> >>> >>> >> >>> >>> C:\OPT>testauthority >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser" >> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser@fakedomain" >> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser@teqa.filetek.com" >> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> Previous one >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dfakeuser@teqa.filetek.com" >> >>> >>> USERNOTFOUND:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay_admin@teqa" >> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay_admin@teqa.filetek.com" >> >>> >>> AUTHORIZED:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545 >> >>> >>> TOKEN:TEQA-DC:S-1-5-32-544 >> >>> >>> TOKEN:TEQA-DC:S-1-5-32-555 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >> >>> >>> TOKEN:TEQA-DC:S-1-1-0 >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay@teqa.filetek.com" >> >>> >>> AUTHORIZED:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:S-1-5-32-545 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >> >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473 >> >>> >>> TOKEN:TEQA-DC:S-1-1-0 >> >>> >>> >> >>> >>> C:\OPT>curl >> >>> >>> >> >>> >>> >> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username= =3Dkatalay@fakedomain" >> >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >> >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >> >>> >>> >> >>> >>> >> >>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright >> >>> >>> wrote: >> >>> >>>> >> >>> >>>> I've cleaned things up slightly to restore the objectSid and al= so >> >>> >>>> to >> >>> >>>> fix an infinite loop ifyou have more than one comma in the esca= pe >> >>> >>>> expression. =A0I've attached the file, can you see if it works? >> >>> >>>> >> >>> >>>> Thanks, >> >>> >>>> Karl >> >>> >>>> >> >>> >>>> >> >>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright >> >>> >>>> wrote: >> >>> >>>>> Thanks - we do need the user sid, so I will put that back. >> >>> >>>>> >> >>> >>>>> Also, I'd like to ask what you know about escaping the user na= me >> >>> >>>>> in >> >>> >>>>> this expression: >> >>> >>>>> >> >>> >>>>> String searchFilter =3D "(&(objectClass=3Duser)(sAMAccountName= =3D" + >> >>> >>>>> userName >> >>> >>>>> + "))"; >> >>> >>>>> >> >>> >>>>> It seems to me that there is probably some escaping needed, bu= t >> >>> >>>>> I >> >>> >>>>> don't know what style. =A0Do you think it is the same (C-style= , >> >>> >>>>> with >> >>> >>>>> \ >> >>> >>>>> escape) as for the other case? >> >>> >>>>> >> >>> >>>>> Karl >> >>> >>>>> >> >>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay >> >>> >>>>> >> >>> >>>>> wrote: >> >>> >>>>>> Hi Karl, >> >>> >>>>>> >> >>> >>>>>> =A0 =A0 String returnedAtts[]=3D{"tokenGroups"} is ONLY retur= ning the >> >>> >>>>>> memberGroups, >> >>> >>>>>> >> >>> >>>>>> C:\OPT>curl >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?usernam= e=3Dkatalay_admin@teqa.filetek.com" >> >>> >>>>>> AUTHORIZED:TEQA-DC >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21- >> >>> >>>>>> 1212545812-2858578934-3563067286-1124 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0 >> >>> >>>>>> >> >>> >>>>>> but, >> >>> >>>>>> >> >>> >>>>>> - =A0 =A0String returnedAtts[] =3D {"tokenGroups","objectSid"= }; is >> >>> >>>>>> returning >> >>> >>>>>> memberGroups AND SID for that user. >> >>> >>>>>> >> >>> >>>>>> C:\OPT>curl >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?usernam= e=3Dkatalay_admin@teqa.filetek.com" >> >>> >>>>>> AUTHORIZED:TEQA-DC >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >> >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0 >> >>> >>>>>> >> >>> >>>>>> Since we are only interested in the member groups, tokenGroup= s >> >>> >>>>>> is >> >>> >>>>>> sufficient, but if you also need user SID then you might keep >> >>> >>>>>> the >> >>> >>>>>> objectSID >> >>> >>>>>> as well. >> >>> >>>>>> >> >>> >>>>>> Thanks >> >>> >>>>>> >> >>> >>>>>> Kadri >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright >> >>> >>>>>> >> >>> >>>>>> wrote: >> >>> >>>>>>> >> >>> >>>>>>> I am curious about the following change, which does not seem >> >>> >>>>>>> correct: >> >>> >>>>>>> >> >>> >>>>>>> >> >>> >>>>>>> =A0 =A0 //Specify the attributes to return >> >>> >>>>>>> - =A0 =A0String returnedAtts[] =3D {"tokenGroups","objectSid= "}; >> >>> >>>>>>> + =A0 =A0String returnedAtts[]=3D{"tokenGroups"}; >> >>> >>>>>>> =A0 =A0 searchCtls.setReturningAttributes(returnedAtts); >> >>> >>>>>>> >> >>> >>>>>>> Karl >> >>> >>>>>>> >> >>> >>>>>>> >> >>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay >> >>> >>>>>>> >> >>> >>>>>>> wrote: >> >>> >>>>>>>> Karl, >> >>> >>>>>>>> >> >>> >>>>>>>> The ActiveDirectoryAuthority.java is attached. >> >>> >>>>>>>> >> >>> >>>>>>>> I'm not sure about clicking "Grant ASF License", or how to = do >> >>> >>>>>>>> that >> >>> >>>>>>>> from >> >>> >>>>>>>> Tortoise. >> >>> >>>>>>>> But, you got my consent for granting the ASF license. >> >>> >>>>>>>> >> >>> >>>>>>>> Thanks >> >>> >>>>>>>> >> >>> >>>>>>>> Kadri >> >>> >>>>>>>> >> >>> >>>>>>>> >> >>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright >> >>> >>>>>>>> >> >>> >>>>>>>> wrote: >> >>> >>>>>>>>> >> >>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java fil= e >> >>> >>>>>>>>> to >> >>> >>>>>>>>> the >> >>> >>>>>>>>> ticket if you prefer. =A0But you must click the "Grant ASF >> >>> >>>>>>>>> License" >> >>> >>>>>>>>> button. >> >>> >>>>>>>>> >> >>> >>>>>>>>> Karl >> >>> >>>>>>>>> >> >>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay >> >>> >>>>>>>>> >> >>> >>>>>>>>> wrote: >> >>> >>>>>>>>>> Karl, >> >>> >>>>>>>>>> >> >>> >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN.. >> >>> >>>>>>>>>> Do you know how to do this with Tortoise ? >> >>> >>>>>>>>>> Otherwise, I can just send the source code directly to yo= u. >> >>> >>>>>>>>>> BTW, there are some changes in the ParseUser method also, >> >>> >>>>>>>>>> you >> >>> >>>>>>>>>> can >> >>> >>>>>>>>>> see >> >>> >>>>>>>>>> all >> >>> >>>>>>>>>> when you run the diff. >> >>> >>>>>>>>>> >> >>> >>>>>>>>>> Thanks >> >>> >>>>>>>>>> >> >>> >>>>>>>>>> Kadri >> >>> >>>>>>>>>> >> >>> >>>>>>>> >> >>> >>>>>>>> >> >>> >>>>>> >> >>> >>>>>> >> >>> >>>>> >> >>> >>> >> >>> >>> >> >>> > >> >> >> > >> > > >