manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: ManifoldCF authentication service accept only in form of a user pricipal name
Date Sun, 15 May 2016 17:06:53 GMT
Ah, it must be the ES-1.5 plugin you are using.  That is not written by me;
it was a contribution.  And it looks like the author of the plugin used the
"@" as a way of separating the user name and MCF authorization domain, as
follows:

>>>>>>
      String[] authenticatedUserNameAndDomain = buffer.split("@", 2);
<<<<<<

Obviously this is completely at odds with the need to include the AD domain
in the user name.  I will bet also that nobody has used this with an actual
MCF domain, so I'm just going to change the separator character from "@" to
":" in MCFAuthorizer.java, as follows:

>>>>>>
      String[] authenticatedUserNameAndDomain = buffer.split(":", 2);
<<<<<<

Once again, JIRA is down and I cannot create the proper ticket for this,
but I will do so as soon as it is back up.

Thanks,
Karl



On Sun, May 15, 2016 at 12:41 PM, Karl Wright <daddywri@gmail.com> wrote:

> Hi Silvio,
>
> The "domain" argument to the authority service does not represent an
> Active Directory domain.  It represents an MCF authorization domain, which
> is described in the book and also in the other documentation.  This cannot
> be used as an active directory domain.
>
> >>>>>>
> Unfortuanately, the elasticsearch plugin for Apache ManifoldCF
> authentication service does not allow one to hand over a username in the
> form of the user principal name, e.g.msi@ourdomian.com. This is due to
> the fact that the @ sign is not allowed to be encoded in the user name.
> <<<<<<
>
> That's pretty surprising; the plugin has no character limits I am aware of
> for user names, and I wrote it.  Perhaps you simply need to use proper URL
> encoding practices in forming the URL you are invoking ElasticSearch with?
>
> Karl
>
>
> On Sun, May 15, 2016 at 11:39 AM, Silvio Meier <
> silvio.r.meier@quantentunnel.de> wrote:
>
>> Hi Apache ManifoldCF user list
>>
>> I’m experimenting with Apache ManifoldCF 2.3, Elasticsearch 1.74 and the
>> corresponding Elasticsearch plugin (v 2.0.1) which I use to index the
>> network Windows shares of our company.
>> I set up Apache Manifold using authorization services together with an
>> Active Directory.
>>
>> Using the Apache ManifoldCF authentication services with separated domain
>> name and user name does somehow not work for our active directory
>> configuration, so the when the following service call is made
>> http://localhost:8081/mcf-authority-service/UserACLs?username=msi&domain=ourdomain.com
>> , the authentication service does not return any ACL list. I tried to do
>> different combinations of domain names or netbios names together with user
>> names. Or just username without domain name. No success!
>>
>> However, the only thing that is working is when calling the authorization
>> service with
>> http://localhost:8081/mcf-authority-service/UserACLs?username=msi@ourdomain.com
>> , i.e., using the user principal name as username.  In this case the
>> service returns the correct set of ACLs.
>>
>> Unfortuanately, the elasticsearch plugin for Apache ManifoldCF
>> authentication service does not allow one to hand over a username in the
>> form of the user principal name, e.g. msi@ourdomian.com. This is due to
>> the fact that the @ sign is not allowed to be encoded in the user name. My
>> current work around (which works) is to adapt the elasticsearch plugin to
>> accept the @ sign in the user name. However, this is not a nice solution.
>> Is there a better (built-in) solution, or did I just something miss
>> regarding the authencation service?
>>
>> Regards
>> Silvio
>>
>>
>>
>>
>
>

Mime
View raw message