You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2014/02/16 16:24:19 UTC
[jira] [Commented] (CONNECTORS-891) SharePoint 2010 claim space
authorization fails for AD groups
[ https://issues.apache.org/jira/browse/CONNECTORS-891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13902731#comment-13902731 ]
Karl Wright commented on CONNECTORS-891:
----------------------------------------
Created branches/CONNECTORS-891 to work on this ticket, based off of branches/release-1.5-branch.
> SharePoint 2010 claim space authorization fails for AD groups
> -------------------------------------------------------------
>
> Key: CONNECTORS-891
> URL: https://issues.apache.org/jira/browse/CONNECTORS-891
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.5
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.5.1, ManifoldCF 1.6
>
>
> It looks like, at least in some cases, in SharePoint 2010 it is not SharePoint groups that correspond to AD groups, but rather SharePoint *users* that correspond to AD groups. For example:
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <soap:Body>
> <GetUserCollectionFromGroupResponse xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
> <GetUserCollectionFromGroupResult>
> <GetUserCollectionFromGroup>
> <Users>
> <User ID="3620" Sid="" Name="Axxx Dxxx" LoginName="i:0#.w|domain\dxxx" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
> <User ID="1199" Sid="" Name="itstrain" LoginName="i:0#.w|domain\itstrain" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
> <User ID="2871" Sid="" Name="Law Library helpdesk account" LoginName="i:0#.w|domain\reflaw" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
> <User ID="5135" Sid="" Name="Library Desk - GP" LoginName="i:0#.w|domain\lib-deskgp" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
> <User ID="5899" Sid="" Name="DOMAIN\$0kjf00-gcsje70g79fm" LoginName="c:0+.w|s-1-5-21-3052554794-3770484871-3874881240-511616" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="True" Flags="0"/>
> </Users>
> </GetUserCollectionFromGroup>
> </GetUserCollectionFromGroupResult>
> </GetUserCollectionFromGroupResponse>
> </soap:Body>
> </soap:Envelope>
> {code}
> We therefore need to look at child users of groups to come up with the right tokens. Furthermore, the SharePoint/AD authority should always generate user tokens, not group tokens.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)