manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Silvio Meier <silvio.r.me...@quantentunnel.de>
Subject Re: ManifoldCF authentication service accept only in form of a user pricipal name
Date Mon, 16 May 2016 17:16:07 GMT
Hi Karl

Thanks for the fast response. I was little bit confused about the domain concept because the
Elasticsearch plugin used the  @ sign for separating MCF auth domains from user names, which
actually looked to me as if the MCF domain was the same as the AD domain.

I'm already using a version that I have patched myself. However, your solution looks much
better. Will it be part of an official release in future?

Thanks
regards
Silvio


On 15.05.2016 19:06, Karl Wright wrote:
> Ah, it must be the ES-1.5 plugin you are using. That is not written by 
> me; it was a contribution.  And it looks like the author of the plugin 
> used the "@" as a way of separating the user name and MCF 
> authorization domain, as follows:
>
> >>>>>>
>       String[] authenticatedUserNameAndDomain = buffer.split("@", 2);
> <<<<<<
>
> Obviously this is completely at odds with the need to include the AD 
> domain in the user name.  I will bet also that nobody has used this 
> with an actual MCF domain, so I'm just going to change the separator 
> character from "@" to ":" in MCFAuthorizer.java, as follows:
>
> >>>>>>
>       String[] authenticatedUserNameAndDomain = buffer.split(":", 2);
> <<<<<<
>
> Once again, JIRA is down and I cannot create the proper ticket for 
> this, but I will do so as soon as it is back up.
>
> Thanks,
> Karl
>
>
>
> On Sun, May 15, 2016 at 12:41 PM, Karl Wright <daddywri@gmail.com 
> <mailto:daddywri@gmail.com>> wrote:
>
>     Hi Silvio,
>
>     The "domain" argument to the authority service does not represent
>     an Active Directory domain.  It represents an MCF authorization
>     domain, which is described in the book and also in the other
>     documentation.  This cannot be used as an active directory domain.
>
>     >>>>>>
>     Unfortuanately, the elasticsearch plugin for Apache ManifoldCF
>     authentication service does not allow one to hand over a username
>     in the form of the user principal name, e.g.msi@ourdomian.com
>     <mailto:msi@ourdomian.com>. This is due to the fact that the @
>     sign is not allowed to be encoded in the user name.
>     <<<<<<
>
>     That's pretty surprising; the plugin has no character limits I am
>     aware of for user names, and I wrote it.  Perhaps you simply need
>     to use proper URL encoding practices in forming the URL you are
>     invoking ElasticSearch with?
>
>     Karl
>
>
>     On Sun, May 15, 2016 at 11:39 AM, Silvio Meier
>     <silvio.r.meier@quantentunnel.de
>     <mailto:silvio.r.meier@quantentunnel.de>> wrote:
>
>         Hi Apache ManifoldCF user list
>         I’m experimenting with Apache ManifoldCF 2.3, Elasticsearch
>         1.74 and the corresponding Elasticsearch plugin (v 2.0.1)
>         which I use to index the network Windows shares of our company.
>         I set up Apache Manifold using authorization services together
>         with an Active Directory.
>         Using the Apache ManifoldCF authentication services with
>         separated domain name and user name does somehow not work for
>         our active directory configuration, so the when the following
>         service call is made
>         http://localhost:8081/mcf-authority-service/UserACLs?username=msi&domain=ourdomain.com
>         , the authentication service does not return any ACL list. I
>         tried to do different combinations of domain names or netbios
>         names together with user names. Or just username without
>         domain name. No success!
>         However, the only thing that is working is when calling the
>         authorization service with
>         http://localhost:8081/mcf-authority-service/UserACLs?username=msi@ourdomain.com
>         , i.e., using the user principal name as username.  In this
>         case the service returns the correct set of ACLs.
>         Unfortuanately, the elasticsearch plugin for Apache ManifoldCF
>         authentication service does not allow one to hand over a
>         username in the form of the user principal name, e.g.
>         msi@ourdomian.com <mailto:msi@ourdomian.com>. This is due to
>         the fact that the @ sign is not allowed to be encoded in the
>         user name. My current work around (which works) is to adapt
>         the elasticsearch plugin to accept the @ sign in the user
>         name. However, this is not a nice solution. Is there a better
>         (built-in) solution, or did I just something miss regarding
>         the authencation service?
>         Regards
>         Silvio
>
>
>

Mime
View raw message