You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by Karl Wright <da...@gmail.com> on 2012/04/13 17:05:24 UTC

RE: [jira] [Commented] (CONNECTORS-460) ManifoldCF authority

 service doesn't handle multi-domain environments
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Looks simple to fix next time I have internet service.

Karl

Sent from my Windows Phone
From: Colin Anderson (Commented) (JIRA)
Sent: 4/13/2012 10:13 AM
To: connectors-dev@incubator.apache.org
Subject: [jira] [Commented] (CONNECTORS-460) ManifoldCF authority
service doesn't handle multi-domain environments

    [ https://issues.apache.org/jira/browse/CONNECTORS-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253396#comment-13253396
]

Colin Anderson commented on CONNECTORS-460:
-------------------------------------------

Hi Karl,

I can create the authority with multiple domains now, so that side seems OK.

When crawling, I get {{allow_token_document}} values all prefixed with
the name of new, single authority.

But the ManifoldCF authority service doesn't work - if I call:
{{http://localhost:8345/mcf-authority-service/UserACLs?username=123456@ap.enterdir.com}}

I get:

{{UNREACHABLEAUTHORITY:Active+Directory}}
{{TOKEN:AD:DEAD_AUTHORITY}}

And in the log I see:

{quote}
WARN 2012-04-13 15:06:07,253 (Auth check thread 0) - Authority
connection error: null
java.lang.NullPointerException
	at org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority$AuthorizationResponseDescription.getCriticalSectionName(ActiveDirectoryAuthority.java:1024)
	at org.apache.manifoldcf.core.cachemanager.CacheManager.enterCreateSection(CacheManager.java:343)
	at org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority.getAuthorizationResponse(ActiveDirectoryAuthority.java:260)
	at org.apache.manifoldcf.authorities.system.AuthCheckThread.run(AuthCheckThread.java:92)
 WARN 2012-04-13 15:06:07,253 (13242994@qtp-32105264-0) - Authority
'Active Directory' is unreachable for user '123456@ap.enterdir.com'
{quote}

I get the same if I try with a user in the {{external.com}} domain.

> ManifoldCF authority service doesn't handle multi-domain environments
> ---------------------------------------------------------------------
>
>                 Key: CONNECTORS-460
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-460
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: Active Directory authority, Authority Service
>    Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3, ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6
>         Environment: Two Active Directory domains: {{internal.com}} and {{external.com}}
> I'm indexing a Sharepoint site, where that site has permissions set from_both_domains
>            Reporter: Colin Anderson
>            Assignee: Karl Wright
>              Labels: active-directory, authorization, security
>             Fix For: ManifoldCF 0.6
>
>
> The ManifoldCF authority service doesn't handle multi-domain environments.
> The authority service returns a list of SIDs for the specified user, from all available ManifoldCF authorities, for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> Note that the SID is prefixed with the name of the ManifoldCF authority.
> Here is my setup:
> Output connector: Solr
> Authority connector1: Active Directory ({{internal.com}} domain), named {{InternalAD}}
> Authority connector2: Active Directory ({{external.com}} domain), named {{ExternalAD}}
> Repository connector: Sharepoint
> If I set the Sharepoint repository connector to use the authority 'None (Global Authority)', then {{allow_token_document}} will contain SIDs that are _not_ prefixed with any authority name, for example:
> {{S-1-5-21-1234567890-1234567890-1234567890-1234}}
> It is therefore not possible to get any search results, because the authority service tokens will not match the stored tokens (because they _are_ prefixed with authority names).
> If I set the Sharepoint repository connector to use one of the AD authorities 'InternalAD', then {{allow_token_document}} will contain SIDs that are prefixed with 'InternalAD', for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> However, the prefix is _always_ 'InternalAD', even if the user/group actually belongs to the {{external.com}} domain. Therefore it is not possible for users in the {{external.com}} domain to get any search results, because the authority service tokens will not match the stored tokens.
> In essence, there seems to be a mismatch between the tokens that the authority service outputs, and those that repository connectors output.
> Perhaps one solution would be to use the authority 'None (Global Authority)', and modify the authority service to take an extra query parameter that prevents it from prefixing SIDs with the authority name.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA
administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira