manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kambiz Niktabar <nikta...@yahoo.com>
Subject Re: Two Active directory connections in Authority group
Date Fri, 31 Oct 2014 08:09:20 GMT
Hi again Karl,

Just have another question. Here we have a scenario that groups in extranet AD domain have
members from intranet AD domain. Is is any way to get those group being expanded and user
see the documents given access to those groups?

Regards
Kambiz


________________________________
 From: Kambiz Niktabar <niktabar@yahoo.com>
To: Karl Wright <daddywri@gmail.com>; "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>

Sent: Tuesday, October 28, 2014 10:24 PM
Subject: Re: Two Active directory connections in Authority group
 


Hi Karl,

Thanks a lot for the information. I added second AD domain to the same Active Directory authority
and it works fine now :)

Regards
Kambiz




________________________________
 From: Karl Wright <daddywri@gmail.com>
To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>; Kambiz Niktabar <niktabar@yahoo.com>

Sent: Tuesday, October 28, 2014 5:24 PM
Subject: Re: Two Active directory connections in Authority group
 


I should also add that it is really helpful for diagnosing problems of this kind to use curl,
e.g.:

curl http://localhost:8345/mcf-authority-service/UserACLs?user=kambiz@something.net

... and see what gets returned.  If you see DEAD_AUTHORITY in the list of acls, don't expect
to see any documents from the associated authority group.


Thanks,
Karl






On Tue, Oct 28, 2014 at 12:09 PM, Karl Wright <daddywri@gmail.com> wrote:

Hi Kambiz,
>
>The Active Directory authority is not an "additive" authority, so you cannot use it within
the same authorization group with other authorities, and expect it to work cumulatively. 
The reason is that when there is a problem (e.g. user not found or server unreachable), the
authority asserts the "DEAD_AUTHORITY" token, which effectively disables any documents from
being returned.  This is necessary whenever the repository has a security model that has "deny"
tokens, and that's the case for most repositories secured by Active Directory.
>
>For this reason, we long ago added the ability to have multiple Active Directory domains
within the same Active Directory authority.  This is what you should use, since it will behave
in the manner you expect.  
>
>Thanks,
>Karl
>
>
>
>
>On Tue, Oct 28, 2014 at 11:35 AM, Kambiz Niktabar <niktabar@yahoo.com> wrote:
>
>Hello,
>>
>>
>>I want to have two
active directory connections (intranet and extranet AD) in one Authority group
but it seems it’s not working as expected. I’m getting hits when I have only Intranet
AD in the authority group and I got zero hits when I add Extranet AD into the
same authority group
>>
>>
>>
>>I attached Solr log files for two scenarios. 
>>
>>
>>Regards
>>Kambiz
>
Mime
View raw message