You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@manifoldcf.apache.org by Karl Wright <da...@gmail.com> on 2014/04/30 12:07:14 UTC
Re: merge AuthenticatedUserName
Hi Ahmet,
If you want to pass in two different user names, you need to specify two
domains. Before you can specify two domains, you have to register the
domains you use. See connectors.xml (or connectors-proprietary.xml) for
how to register domains. Then, specify domain_0= and domain_1= in your url
as well. Make sure your two authorities are also configured to use the
appropriate authoritization domain as well.
If you really have just *one* user name, and want to map it to *two*,
consider using a regular expression mapper to modify the name for one of
your authoriities instead.
Hope this helps.
Karl
On Wed, Apr 30, 2014 at 5:23 AM, Ahmet Arslan <io...@yahoo.com> wrote:
> Hi,
>
> In our mcf/solr setup we want to merge rights of users xxx@g-b and
> xxx@g-b.entp
>
> 1) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b
> 2)
> http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b.entp
>
> (1) and (2) return something. We expect in (3) we have union of results
>
> 3)
> http://localhost:8345/mcf-authority-service/UserACLs?username_0=xxx@g-b&username_1=xxx@g-b.entp
>
> However (3) returns results of username_1. Because domain parameter is
> used as keys. empty string used as key and previous entry is overridden.
> And we don't know what to pass as domain.
>
> Does that makes sense?
> Should AuthenticatedUserName_0=xxx&AuthenticatedUserName_1=yyy parameters
> OR rights of users?
>
> Note that We could be completely mis-using mcf.
>
> Thanks,
> Ahmet
>
Re: merge AuthenticatedUserName
Posted by Ahmet Arslan <io...@yahoo.com>.
Hi Karl,
I need some time digest your proposed solution. Here is what I have done :
1) Add following two lines to Connectors.xml.
<authorizationdomain domain="spn" name="SharePointNative"/>
<authorizationdomain domain="spad" name="SharePointActiveDirectory"/>
2) restart mcf
3) Go to "List Authority Connections" add/edit "Authorization domain:" to connections. ("SharePointNative" and "SharePointActiveDirectory") appears in pull down menu.
4) Issue a search with following parameters
AuthenticatedUserDomain_0=spn
AuthenticatedUserDomain_1=spad
AuthenticatedUserName_0=ahmet@g-b
AuthenticatedUserName_1=ahmet@g-b.entp
Seem working for now. I will read more and ingest these stuff seems pretty confusing :)
Thanks for your help,
Ahmet
On Wednesday, April 30, 2014 2:57 PM, Karl Wright <da...@gmail.com> wrote:
Hi Ahmet,
The authorization domains declared in connectors.xml are NOT Active Directory domains. They are instead arbitrary. The end-user documentation describes this in some detail, and I'll send you a reworked chapter of ManifoldCF in Action which describes how these work.
Thanks,
Karl
On Wed, Apr 30, 2014 at 7:33 AM, Ahmet Arslan <io...@yahoo.com> wrote:
Hi Karl,
>
>
>For some reason, we have different rights for the same username with different suffixes (@g-b.entp and @g-b)
>
>
>What we are trying to do is to merge rights.
>
>
>AuthenticatedUserName=ahmet@g-b
>AuthenticatedUserName=ahmet@g-b.entp
>
>
>
>
>I see following in connnectors.xml
>
>
><!-- authorizationdomain domain="AD" name="ActiveDirectory"/-->
>
>
>
>AD is the part where we pass parameters of AuthenticatedUserDomain=AD. But what is the name (ActiveDirectory) part? How it is connected to our defined authorities?
>
>
>Thanks,
>Ahmet
>On Wednesday, April 30, 2014 1:07 PM, Karl Wright <da...@gmail.com> wrote:
>
>Hi Ahmet,
>
>If you want to pass in two different user names, you need to specify two domains. Before you can specify two domains, you have to register the domains you use. See connectors.xml (or connectors-proprietary.xml) for how to register domains. Then, specify domain_0= and domain_1= in your url as well. Make sure your two authorities are also configured to use the appropriate authoritization domain as well.
>
>If you really have just *one* user name, and want to map it to *two*, consider using a regular expression mapper to modify the name for one of your authoriities instead.
>
>Hope this helps.
>Karl
>
>
>
>
>
>On Wed, Apr 30, 2014 at 5:23 AM, Ahmet Arslan <io...@yahoo.com> wrote:
>
>Hi,
>>
>>In our mcf/solr setup we want to merge rights of users xxx@g-b and xxx@g-b.entp
>>
>>1) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b
>>2) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b.entp
>>
>>(1) and (2) return something. We expect in (3) we have union of results
>>
>>3) http://localhost:8345/mcf-authority-service/UserACLs?username_0=xxx@g-b&username_1=xxx@g-b.entp
>>
>>However (3) returns results of username_1. Because domain parameter is used as keys. empty string used as key and previous entry is overridden. And we don't know what to pass as domain.
>>
>>Does that makes sense?
>>Should AuthenticatedUserName_0=xxx&AuthenticatedUserName_1=yyy parameters OR rights of users?
>>
>>Note that We could be completely mis-using mcf.
>>
>>Thanks,
>>Ahmet
>>
>
>
>
Re: merge AuthenticatedUserName
Posted by Karl Wright <da...@gmail.com>.
Ok, sent the appropriate book chapter along.
It sounds to me that in your case you are getting one authenticated
username, e.g. ahmet@g-b . I understand that somehow you have different
access tokens associated with ahmet@g-b and ahmet@g-b.entp . If this is
indeed intentional (which would be the first question to ask), then what
I'd do is the following:
(1) Use only the default ManifoldCF authorization domain
(2) Create a regular expression mapper which converts a username of the
form <username>@g-b into <username>@g-b.entp .
(3) Create ONE authority group to represent your merged security zone.
(4) Create TWO authorities, one of which has no prerequisite mappers, and
the other which has the mapper you created in step 2 above. Both
authorities should belong to the same authority group.
This should solve the problem, don't you think?
Karl
On Wed, Apr 30, 2014 at 7:56 AM, Karl Wright <da...@gmail.com> wrote:
> Hi Ahmet,
>
> The authorization domains declared in connectors.xml are NOT Active
> Directory domains. They are instead arbitrary. The end-user documentation
> describes this in some detail, and I'll send you a reworked chapter of
> ManifoldCF in Action which describes how these work.
>
> Thanks,
> Karl
>
>
>
> On Wed, Apr 30, 2014 at 7:33 AM, Ahmet Arslan <io...@yahoo.com> wrote:
>
>> Hi Karl,
>>
>> For some reason, we have different rights for the same username with
>> different suffixes (@g-b.entp and @g-b)
>>
>> What we are trying to do is to merge rights.
>>
>> AuthenticatedUserName=ahmet@g-b
>> AuthenticatedUserName=ahmet@g-b.entp
>>
>>
>> I see following in connnectors.xml
>>
>> <!-- authorizationdomain domain="AD" name="ActiveDirectory"/-->
>>
>> AD is the part where we pass parameters of AuthenticatedUserDomain=AD.
>> But what is the name (ActiveDirectory) part? How it is connected to our
>> defined authorities?
>>
>> Thanks,
>> Ahmet
>> On Wednesday, April 30, 2014 1:07 PM, Karl Wright <da...@gmail.com>
>> wrote:
>> Hi Ahmet,
>>
>> If you want to pass in two different user names, you need to specify two
>> domains. Before you can specify two domains, you have to register the
>> domains you use. See connectors.xml (or connectors-proprietary.xml) for
>> how to register domains. Then, specify domain_0= and domain_1= in your url
>> as well. Make sure your two authorities are also configured to use the
>> appropriate authoritization domain as well.
>>
>> If you really have just *one* user name, and want to map it to *two*,
>> consider using a regular expression mapper to modify the name for one of
>> your authoriities instead.
>>
>> Hope this helps.
>> Karl
>>
>>
>>
>> On Wed, Apr 30, 2014 at 5:23 AM, Ahmet Arslan <io...@yahoo.com> wrote:
>>
>> Hi,
>>
>> In our mcf/solr setup we want to merge rights of users xxx@g-b and
>> xxx@g-b.entp
>>
>> 1) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b
>> 2)
>> http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b.entp
>>
>> (1) and (2) return something. We expect in (3) we have union of results
>>
>> 3)
>> http://localhost:8345/mcf-authority-service/UserACLs?username_0=xxx@g-b&username_1=xxx@g-b.entp
>>
>> However (3) returns results of username_1. Because domain parameter is
>> used as keys. empty string used as key and previous entry is overridden.
>> And we don't know what to pass as domain.
>>
>> Does that makes sense?
>> Should AuthenticatedUserName_0=xxx&AuthenticatedUserName_1=yyy parameters
>> OR rights of users?
>>
>> Note that We could be completely mis-using mcf.
>>
>> Thanks,
>> Ahmet
>>
>>
>>
>>
>>
>
Re: merge AuthenticatedUserName
Posted by Karl Wright <da...@gmail.com>.
Hi Ahmet,
The authorization domains declared in connectors.xml are NOT Active
Directory domains. They are instead arbitrary. The end-user documentation
describes this in some detail, and I'll send you a reworked chapter of
ManifoldCF in Action which describes how these work.
Thanks,
Karl
On Wed, Apr 30, 2014 at 7:33 AM, Ahmet Arslan <io...@yahoo.com> wrote:
> Hi Karl,
>
> For some reason, we have different rights for the same username with
> different suffixes (@g-b.entp and @g-b)
>
> What we are trying to do is to merge rights.
>
> AuthenticatedUserName=ahmet@g-b
> AuthenticatedUserName=ahmet@g-b.entp
>
>
> I see following in connnectors.xml
>
> <!-- authorizationdomain domain="AD" name="ActiveDirectory"/-->
>
> AD is the part where we pass parameters of AuthenticatedUserDomain=AD. But
> what is the name (ActiveDirectory) part? How it is connected to our
> defined authorities?
>
> Thanks,
> Ahmet
> On Wednesday, April 30, 2014 1:07 PM, Karl Wright <da...@gmail.com>
> wrote:
> Hi Ahmet,
>
> If you want to pass in two different user names, you need to specify two
> domains. Before you can specify two domains, you have to register the
> domains you use. See connectors.xml (or connectors-proprietary.xml) for
> how to register domains. Then, specify domain_0= and domain_1= in your url
> as well. Make sure your two authorities are also configured to use the
> appropriate authoritization domain as well.
>
> If you really have just *one* user name, and want to map it to *two*,
> consider using a regular expression mapper to modify the name for one of
> your authoriities instead.
>
> Hope this helps.
> Karl
>
>
>
> On Wed, Apr 30, 2014 at 5:23 AM, Ahmet Arslan <io...@yahoo.com> wrote:
>
> Hi,
>
> In our mcf/solr setup we want to merge rights of users xxx@g-b and
> xxx@g-b.entp
>
> 1) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b
> 2)
> http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b.entp
>
> (1) and (2) return something. We expect in (3) we have union of results
>
> 3)
> http://localhost:8345/mcf-authority-service/UserACLs?username_0=xxx@g-b&username_1=xxx@g-b.entp
>
> However (3) returns results of username_1. Because domain parameter is
> used as keys. empty string used as key and previous entry is overridden.
> And we don't know what to pass as domain.
>
> Does that makes sense?
> Should AuthenticatedUserName_0=xxx&AuthenticatedUserName_1=yyy parameters
> OR rights of users?
>
> Note that We could be completely mis-using mcf.
>
> Thanks,
> Ahmet
>
>
>
>
>
Re: merge AuthenticatedUserName
Posted by Ahmet Arslan <io...@yahoo.com>.
Hi Karl,
For some reason, we have different rights for the same username with different suffixes (@g-b.entp and @g-b)
What we are trying to do is to merge rights.
AuthenticatedUserName=ahmet@g-b
AuthenticatedUserName=ahmet@g-b.entp
I see following in connnectors.xml
<!-- authorizationdomain domain="AD" name="ActiveDirectory"/-->
AD is the part where we pass parameters of AuthenticatedUserDomain=AD. But what is the name (ActiveDirectory) part? How it is connected to our defined authorities?
Thanks,
Ahmet
On Wednesday, April 30, 2014 1:07 PM, Karl Wright <da...@gmail.com> wrote:
Hi Ahmet,
If you want to pass in two different user names, you need to specify two domains. Before you can specify two domains, you have to register the domains you use. See connectors.xml (or connectors-proprietary.xml) for how to register domains. Then, specify domain_0= and domain_1= in your url as well. Make sure your two authorities are also configured to use the appropriate authoritization domain as well.
If you really have just *one* user name, and want to map it to *two*, consider using a regular expression mapper to modify the name for one of your authoriities instead.
Hope this helps.
Karl
On Wed, Apr 30, 2014 at 5:23 AM, Ahmet Arslan <io...@yahoo.com> wrote:
Hi,
>
>In our mcf/solr setup we want to merge rights of users xxx@g-b and xxx@g-b.entp
>
>1) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b
>2) http://localhost:8345/mcf-authority-service/UserACLs?username=xxx@g-b.entp
>
>(1) and (2) return something. We expect in (3) we have union of results
>
>3) http://localhost:8345/mcf-authority-service/UserACLs?username_0=xxx@g-b&username_1=xxx@g-b.entp
>
>However (3) returns results of username_1. Because domain parameter is used as keys. empty string used as key and previous entry is overridden. And we don't know what to pass as domain.
>
>Does that makes sense?
>Should AuthenticatedUserName_0=xxx&AuthenticatedUserName_1=yyy parameters OR rights of users?
>
>Note that We could be completely mis-using mcf.
>
>Thanks,
>Ahmet
>