manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Sharepoint get ACL
Date Fri, 30 Dec 2016 13:52:06 GMT
Hi Cihad,

I am almost certain your Sharepoint 2013 setup is using claims-based
authorization, since that is the default for Sharepoint 2013 and the
installer would have had to select something else to override that default.

Claims-based auth works fine with ActiveDirectory but you must use
different MCF authorities with claims-based auth than you would with
non-claims-based auth.  If your users are all in groups, and your documents
are secured by groups, then your ACLs will describe those groups and NOT
the SIDs.  That's perfectly OK.  You simply need to have BOTH the
Sharepoint Active Directory Authority and the Sharepoint Native Authority
in your authorization group and everything maps as it should.  Of course,
that authorization group must be the one referenced by your Sharepoint
Repository Connection or the authorization won't work.

Please try this and let me know if it works for you.

Karl


On Fri, Dec 30, 2016 at 8:25 AM, Cihad Guzel <cguzelg@gmail.com> wrote:

> Hi Karl,
>
> I have changed the authority group as Native Sharepoint instead of Active
> Directory and I could see the allow tokens in Solr index as follow:
>
> "allow_token_document":["Authority+Group:Ui%3A0%23.w%
> 7Clagom%5Cadministrator",
>           "Authority+Group:GExcel+Services+Viewers",
>           "Authority+Group:GRestricted+Readers",
>           "Authority+Group:Gtestsite+Members",
>           "Authority+Group:GHierarchy+Managers",
>           "Authority+Group:GApprovers",
>           "Authority+Group:Gtestsite+Visitors",
>           "Authority+Group:Gtestsite+Owners",
>           "Authority+Group:GDesigners"],
>
>
> If I select the "Active Directory" setting, I don't see any tokens.
>
> "allow_token_document":["Authority+Group:"],
>
> I tried user profile synchronization from Active Directory. I followed
> https://blogs.technet.microsoft.com/meacoex/2013/08/
> 04/step-by-step-active-directory-import-for-sharepoint-2013/
> I could see all Active Directory users in Sharepoint. Then, I request
> GetUserInfo and GetGroupCollectionFromUser in Sharepoint API via soapUI but
> the Sid field is empty for all user. You can see the response as follow:
>
> <GetUserInfo>
>    <User ID="17" Sid="" Name="testUser" LoginName="i:0#.w|lagom\testUser"
> Email="testUser@tesDomain.com" Notes="" IsSiteAdmin="False"
> IsDomainGroup="False" Flags="0"/>
> </GetUserInfo>
>
> <GetUserCollectionFromGroup>
>    <Users>
>       <User ID="17" Sid="" Name="testUser" LoginName="i:0#.w|lagom\testUser"
> Email="testUser@testDomain.com" Notes="" IsSiteAdmin="False"
> IsDomainGroup="False" Flags="0"/>
>       <User ID="18" Sid="" Name="testUser2" LoginName="i:0#.w|lagom\testUser2"
> Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
>    </Users>
> </GetUserCollectionFromGroup>
>
> I created an issue on stackexchange. You can see from: http://sharepoint.
> stackexchange.com/questions/203761/sid-have-empty-values-
> after-sharepoint-userprofile-sync
> I can see the "sid" value, If I request to sharepoint rest api as like:
> <siteurl>/_api/sp.userprofiles.peoplemanager/getuserprofilepropertyfor(accountname=@v,
> propertyname='SID')?@v='testdomain\testUser'
>
> The response:
> <d:GetUserProfilePropertyFor xmlns:d="http://schemas.
> microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.
> microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.
> georss.org/georss" xmlns:gml="http://www.opengis.net/gml
> ">S-1-5-21-151231991-263585328-740192949-1109</d:
> GetUserProfilePropertyFor>
>
> Then I saw a manifoldcf issue : https://issues.apache.org/
> jira/browse/CONNECTORS-754 .  The issue was resolved. But I'm having the
> same problem.
>
>
>
>
>
>
>
> 2016-12-28 14:41 GMT+03:00 Karl Wright <daddywri@gmail.com>:
>
>> Hi Cihad,
>>
>> In your case, then, the connector is calling the "Users:
>> GetUserCollectionFromGroup" SOAP method in the SharePoint API.  This
>> method is supposed to list the users that belong to the group, but I
>> suspect that your SharePoint instance is not set up to work in that way,
>> and that you should in fact set your MCF up as follows:
>>
>> - Do NOT select the "Active directory" setting.  Use "claims-based"
>> instead.
>> - Use the appropriate SharePoint "native" authority.
>>
>> Read up on how to do that here:
>>
>> http://manifoldcf.apache.org/release/release-2.5/en_US/end-u
>> ser-documentation.html#sharepointrepository
>>
>> Thanks,
>> Karl
>>
>>
>> On Wed, Dec 28, 2016 at 6:26 AM, Cihad Guzel <cguzelg@gmail.com> wrote:
>>
>>> Hi Karl,
>>>
>>> I selected "Active Directory". My SharePoint server run with Active
>>> Directory.
>>>
>>> 2016-12-28 14:13 GMT+03:00 Karl Wright <daddywri@gmail.com>:
>>>
>>>> Hi Cihad,
>>>>
>>>> The code for looking for document ACLs is as follows:
>>>>
>>>> >>>>>>
>>>>         Object node = nodeList.get( i );
>>>>         String mask = doc.getValue( node, "Mask" );
>>>>         long maskValue = new Long(mask).longValue();
>>>>         if ((maskValue & 1L) == 1L)
>>>>         {
>>>>           // Permission to view
>>>>           String isUser = doc.getValue( node, "MemberIsUser" );
>>>>
>>>>           if ( isUser.compareToIgnoreCase("True") == 0 )
>>>>           {
>>>>             // Use AD user or group
>>>>             String userLogin = doc.getValue( node, "UserLogin" );
>>>>             String userSid = getSidForUser( userCall, userLogin,
>>>> activeDirectoryAuthority );
>>>>             sids.add( userSid );
>>>>           }
>>>>           else
>>>>           {
>>>>             // Role
>>>>             List<String> roleSids;
>>>>             String roleName = doc.getValue( node, "RoleName" );
>>>>             if ( roleName.length() == 0)
>>>>             {
>>>>               roleName = doc.getValue(node,"GroupName");
>>>>               roleSids = getSidsForGroup(userCall, roleName,
>>>> activeDirectoryAuthority);
>>>>             }
>>>>             else
>>>>             {
>>>>               roleSids = getSidsForRole(userCall, roleName,
>>>> activeDirectoryAuthority);
>>>>             }
>>>>
>>>>             for (String sid : roleSids)
>>>>             {
>>>>               sids.add( sid );
>>>>             }
>>>>           }
>>>>         }
>>>>
>>>> <<<<<<
>>>>
>>>> So, in your example, getSidsForGroup() should be getting called.  The
>>>> code for that is as follows:
>>>>
>>>> >>>>>>
>>>>   private List<String> getSidsForGroup(com.microsoft.
>>>> schemas.sharepoint.soap.directory.UserGroupSoap userCall, String
>>>> groupName,
>>>>     boolean activeDirectoryAuthority)
>>>>     throws ManifoldCFException, java.net.MalformedURLException,
>>>> javax.xml.rpc.ServiceException, java.rmi.RemoteException
>>>>   {
>>>>     List<String> rval = new ArrayList<String>();
>>>>
>>>>     com.microsoft.schemas.sharepoint.soap.directory.GetUserColle
>>>> ctionFromGroupResponseGetUserCollectionFromGroupResult roleResp =
>>>> userCall.getUserCollectionFromGroup(groupName);
>>>>     org.apache.axis.message.MessageElement[] roleList =
>>>> roleResp.get_any();
>>>>
>>>>     if (roleList.length != 1)
>>>>       throw new ManifoldCFException("Bad response - expecting one outer
>>>> 'GetUserCollectionFromGroup' node, saw "+Integer.toString(roleList.le
>>>> ngth));
>>>>
>>>>     MessageElement roles = roleList[0];
>>>>     if (!roles.getElementName().getLocalName().equals("GetUserColle
>>>> ctionFromGroup"))
>>>>       throw new ManifoldCFException("Bad response - outer node should
>>>> have been 'GetUserCollectionFromGroup' node");
>>>>
>>>>     Iterator rolesIter = roles.getChildElements();
>>>>
>>>>     if (!activeDirectoryAuthority)
>>>>     {
>>>>       // We need not only the group itself, but its user children that
>>>> are Claims-based entities
>>>>       rval.add("G"+groupName);
>>>>       while (rolesIter.hasNext())
>>>>       {
>>>>         MessageElement child = (MessageElement)rolesIter.next();
>>>>         if (child.getElementName().getLocalName().equals("Users"))
>>>>         {
>>>>           Iterator usersIterator = child.getChildElements();
>>>>           while (usersIterator.hasNext())
>>>>           {
>>>>             MessageElement user = (MessageElement)usersIterator.next();
>>>>             if (user.getElementName().getLocalName().equals("User"))
>>>>             {
>>>>               String isDomainGroup = user.getAttribute("IsDomainGro
>>>> up");
>>>>               if (isDomainGroup != null && isDomainGroup.equals("True"))
>>>>               {
>>>>                 // Add a user token for the domain group
>>>>                 rval.add("U"+user.getAttribute("LoginName"));
>>>>               }
>>>>             }
>>>>           }
>>>>         }
>>>>       }
>>>>     }
>>>>     else
>>>>     {
>>>>       while (rolesIter.hasNext())
>>>>       {
>>>>         MessageElement child = (MessageElement)rolesIter.next();
>>>>         if (child.getElementName().getLocalName().equals("Users"))
>>>>         {
>>>>           Iterator usersIterator = child.getChildElements();
>>>>           while (usersIterator.hasNext())
>>>>           {
>>>>             MessageElement user = (MessageElement)usersIterator.next();
>>>>             if (user.getElementName().getLocalName().equals("User"))
>>>>             {
>>>>               rval.add(user.getAttribute("Sid"));
>>>>             }
>>>>           }
>>>>         }
>>>>       }
>>>>     }
>>>>     return rval;
>>>>   }
>>>>
>>>> <<<<<<
>>>>
>>>> So what happens there depends on what you've selected for the
>>>> connection's "use Active Directory authority" selection.  What have you
>>>> chosen?
>>>>
>>>> Karl
>>>>
>>>> On Wed, Dec 28, 2016 at 5:35 AM, Cihad Guzel <cguzelg@gmail.com> wrote:
>>>>
>>>>> Hi Karl,
>>>>>
>>>>> 1- Yes, I selected Sharepoint 2013,
>>>>> 2- Yes, I installed the plugin in my Sharepoint server.
>>>>>
>>>>> 2016-12-28 2:54 GMT+03:00 Karl Wright <daddywri@gmail.com>:
>>>>>
>>>>>> Hi Cihad,
>>>>>>
>>>>>> Some questions:
>>>>>> (1) Have you selected "SharePoint 2013" in your SharePoint connection?
>>>>>> (2) Have you installed the ManifoldCF SharePoint 2013 plugin on your
>>>>>> SharePoint server?
>>>>>>
>>>>>> You will need to do both of these in order for SharePoint 2013 ACLs
>>>>>> to work right.
>>>>>>
>>>>>> Thanks,
>>>>>> Karl
>>>>>>
>>>>>>
>>>>>> On Tue, Dec 27, 2016 at 3:01 PM, Cihad Guzel <cguzelg@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am trying MFC with Sharepoint 2013. First, I install the
>>>>>>> sharepoint plugin and then run my job. My files in sharepoint
are indexed
>>>>>>> successfully to Solr. But I don't see the ACLs in solr index.
You can see
>>>>>>> my sample solr data as follow:
>>>>>>>
>>>>>>> "filename":"Sample.doc",
>>>>>>> "allow_token_document":["Authority+Group:"], "deny_token_document":[
>>>>>>> "Authority+Group:DEAD_AUTHORITY"], "deny_token_parent":["__nosecu
>>>>>>> rity__"], "allow_token_share":["__nosecurity__"], "
>>>>>>> allow_token_parent":["__nosecurity__"], "deny_token_share":[
>>>>>>> "__nosecurity__"],
>>>>>>>
>>>>>>> I run Sharepoint connector with debug mode. I follow Manifoldcf
log
>>>>>>> but I don't see any error in it. I can see "getDocumentACLs xml
response:" in
>>>>>>> the log as follow:
>>>>>>>
>>>>>>> <ns1:GetPermissionCollection ><ns1:Permissions>
>>>>>>> ...
>>>>>>>   <ns1:Permission MemberID="3" Mask="-1" MemberIsUser="False"
MemberGlobal="True" GroupName="testsite Owners"/>
>>>>>>>        ...
>>>>>>>     </ns1:Permissions>
>>>>>>> </ns1:GetPermissionCollection>
>>>>>>>
>>>>>>> How do I follow a way to solve the problem?
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Regards
>>>>>>> Cihad Güzel
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Teşekkürler
>>>>> Cihad Güzel
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Teşekkürler
>>> Cihad Güzel
>>>
>>
>>
>
>
> --
> Teşekkürler
> Cihad Güzel
>

Mime
View raw message