manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Sharepoint get ACL
Date Wed, 28 Dec 2016 11:41:28 GMT
Hi Cihad,

In your case, then, the connector is calling the
"Users:GetUserCollectionFromGroup"
SOAP method in the SharePoint API.  This method is supposed to list the
users that belong to the group, but I suspect that your SharePoint instance
is not set up to work in that way, and that you should in fact set your MCF
up as follows:

- Do NOT select the "Active directory" setting.  Use "claims-based" instead.
- Use the appropriate SharePoint "native" authority.

Read up on how to do that here:

http://manifoldcf.apache.org/release/release-2.5/en_US/end-user-documentation.html#sharepointrepository

Thanks,
Karl


On Wed, Dec 28, 2016 at 6:26 AM, Cihad Guzel <cguzelg@gmail.com> wrote:

> Hi Karl,
>
> I selected "Active Directory". My SharePoint server run with Active
> Directory.
>
> 2016-12-28 14:13 GMT+03:00 Karl Wright <daddywri@gmail.com>:
>
>> Hi Cihad,
>>
>> The code for looking for document ACLs is as follows:
>>
>> >>>>>>
>>         Object node = nodeList.get( i );
>>         String mask = doc.getValue( node, "Mask" );
>>         long maskValue = new Long(mask).longValue();
>>         if ((maskValue & 1L) == 1L)
>>         {
>>           // Permission to view
>>           String isUser = doc.getValue( node, "MemberIsUser" );
>>
>>           if ( isUser.compareToIgnoreCase("True") == 0 )
>>           {
>>             // Use AD user or group
>>             String userLogin = doc.getValue( node, "UserLogin" );
>>             String userSid = getSidForUser( userCall, userLogin,
>> activeDirectoryAuthority );
>>             sids.add( userSid );
>>           }
>>           else
>>           {
>>             // Role
>>             List<String> roleSids;
>>             String roleName = doc.getValue( node, "RoleName" );
>>             if ( roleName.length() == 0)
>>             {
>>               roleName = doc.getValue(node,"GroupName");
>>               roleSids = getSidsForGroup(userCall, roleName,
>> activeDirectoryAuthority);
>>             }
>>             else
>>             {
>>               roleSids = getSidsForRole(userCall, roleName,
>> activeDirectoryAuthority);
>>             }
>>
>>             for (String sid : roleSids)
>>             {
>>               sids.add( sid );
>>             }
>>           }
>>         }
>>
>> <<<<<<
>>
>> So, in your example, getSidsForGroup() should be getting called.  The
>> code for that is as follows:
>>
>> >>>>>>
>>   private List<String> getSidsForGroup(com.microsoft.
>> schemas.sharepoint.soap.directory.UserGroupSoap userCall, String
>> groupName,
>>     boolean activeDirectoryAuthority)
>>     throws ManifoldCFException, java.net.MalformedURLException,
>> javax.xml.rpc.ServiceException, java.rmi.RemoteException
>>   {
>>     List<String> rval = new ArrayList<String>();
>>
>>     com.microsoft.schemas.sharepoint.soap.directory.GetUserColle
>> ctionFromGroupResponseGetUserCollectionFromGroupResult roleResp =
>> userCall.getUserCollectionFromGroup(groupName);
>>     org.apache.axis.message.MessageElement[] roleList =
>> roleResp.get_any();
>>
>>     if (roleList.length != 1)
>>       throw new ManifoldCFException("Bad response - expecting one outer
>> 'GetUserCollectionFromGroup' node, saw "+Integer.toString(roleList.le
>> ngth));
>>
>>     MessageElement roles = roleList[0];
>>     if (!roles.getElementName().getLocalName().equals("GetUserColle
>> ctionFromGroup"))
>>       throw new ManifoldCFException("Bad response - outer node should
>> have been 'GetUserCollectionFromGroup' node");
>>
>>     Iterator rolesIter = roles.getChildElements();
>>
>>     if (!activeDirectoryAuthority)
>>     {
>>       // We need not only the group itself, but its user children that
>> are Claims-based entities
>>       rval.add("G"+groupName);
>>       while (rolesIter.hasNext())
>>       {
>>         MessageElement child = (MessageElement)rolesIter.next();
>>         if (child.getElementName().getLocalName().equals("Users"))
>>         {
>>           Iterator usersIterator = child.getChildElements();
>>           while (usersIterator.hasNext())
>>           {
>>             MessageElement user = (MessageElement)usersIterator.next();
>>             if (user.getElementName().getLocalName().equals("User"))
>>             {
>>               String isDomainGroup = user.getAttribute("IsDomainGroup");
>>               if (isDomainGroup != null && isDomainGroup.equals("True"))
>>               {
>>                 // Add a user token for the domain group
>>                 rval.add("U"+user.getAttribute("LoginName"));
>>               }
>>             }
>>           }
>>         }
>>       }
>>     }
>>     else
>>     {
>>       while (rolesIter.hasNext())
>>       {
>>         MessageElement child = (MessageElement)rolesIter.next();
>>         if (child.getElementName().getLocalName().equals("Users"))
>>         {
>>           Iterator usersIterator = child.getChildElements();
>>           while (usersIterator.hasNext())
>>           {
>>             MessageElement user = (MessageElement)usersIterator.next();
>>             if (user.getElementName().getLocalName().equals("User"))
>>             {
>>               rval.add(user.getAttribute("Sid"));
>>             }
>>           }
>>         }
>>       }
>>     }
>>     return rval;
>>   }
>>
>> <<<<<<
>>
>> So what happens there depends on what you've selected for the
>> connection's "use Active Directory authority" selection.  What have you
>> chosen?
>>
>> Karl
>>
>> On Wed, Dec 28, 2016 at 5:35 AM, Cihad Guzel <cguzelg@gmail.com> wrote:
>>
>>> Hi Karl,
>>>
>>> 1- Yes, I selected Sharepoint 2013,
>>> 2- Yes, I installed the plugin in my Sharepoint server.
>>>
>>> 2016-12-28 2:54 GMT+03:00 Karl Wright <daddywri@gmail.com>:
>>>
>>>> Hi Cihad,
>>>>
>>>> Some questions:
>>>> (1) Have you selected "SharePoint 2013" in your SharePoint connection?
>>>> (2) Have you installed the ManifoldCF SharePoint 2013 plugin on your
>>>> SharePoint server?
>>>>
>>>> You will need to do both of these in order for SharePoint 2013 ACLs to
>>>> work right.
>>>>
>>>> Thanks,
>>>> Karl
>>>>
>>>>
>>>> On Tue, Dec 27, 2016 at 3:01 PM, Cihad Guzel <cguzelg@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying MFC with Sharepoint 2013. First, I install the sharepoint
>>>>> plugin and then run my job. My files in sharepoint are indexed successfully
>>>>> to Solr. But I don't see the ACLs in solr index. You can see my sample
solr
>>>>> data as follow:
>>>>>
>>>>> "filename":"Sample.doc",
>>>>> "allow_token_document":["Authority+Group:"], "deny_token_document":[
>>>>> "Authority+Group:DEAD_AUTHORITY"], "deny_token_parent":["__nosecu
>>>>> rity__"], "allow_token_share":["__nosecurity__"], "allow_token_parent
>>>>> ":["__nosecurity__"], "deny_token_share":["__nosecurity__"],
>>>>>
>>>>> I run Sharepoint connector with debug mode. I follow Manifoldcf log
>>>>> but I don't see any error in it. I can see "getDocumentACLs xml response:"
in
>>>>> the log as follow:
>>>>>
>>>>> <ns1:GetPermissionCollection ><ns1:Permissions>
>>>>> ...
>>>>>   <ns1:Permission MemberID="3" Mask="-1" MemberIsUser="False" MemberGlobal="True"
GroupName="testsite Owners"/>
>>>>>        ...
>>>>>     </ns1:Permissions>
>>>>> </ns1:GetPermissionCollection>
>>>>>
>>>>> How do I follow a way to solve the problem?
>>>>>
>>>>>
>>>>> --
>>>>> Regards
>>>>> Cihad Güzel
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Teşekkürler
>>> Cihad Güzel
>>>
>>
>>
>
>
> --
> Teşekkürler
> Cihad Güzel
>

Mime
View raw message