[jira] [Created] (CONNECTORS-460) ManifoldCF authority service doesn't handle multi-domain environments

Wed, 11 Apr 2012 02:40:50 -0700 

ManifoldCF authority service doesn't handle multi-domain environments
---------------------------------------------------------------------

                 Key: CONNECTORS-460
                 URL: https://issues.apache.org/jira/browse/CONNECTORS-460
             Project: ManifoldCF
          Issue Type: Improvement
          Components: Active Directory authority, Authority Service
         Environment: Two Active Directory domains: {{internal.com}} and 
{{external.com}}

I'm indexing a Sharepoint site, where that site has permissions set 
from_both_domains
            Reporter: Colin Anderson


The ManifoldCF authority service doesn't handle multi-domain environments.

The authority service returns a list of SIDs for the specified user, from all 
available ManifoldCF authorities, for example:

{{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}

Note that the SID is prefixed with the name of the ManifoldCF authority.

Here is my setup:

Output connector: Solr
Authority connector1: Active Directory ({{internal.com}} domain), named 
{{InternalAD}}
Authority connector2: Active Directory ({{external.com}} domain), named 
{{ExternalAD}}
Repository connector: Sharepoint

If I set the Sharepoint repository connector to use the authority 'None (Global 
Authority)', then {{allow_token_document}} will contain SIDs that are _not_ 
prefixed with any authority name, for example:

{{S-1-5-21-1234567890-1234567890-1234567890-1234}}

It is therefore not possible to get any search results, because the authority 
service tokens will not match the stored tokens (because they _are_ prefixed 
with authority names).

If I set the Sharepoint repository connector to use one of the AD authorities 
'InternalAD', then {{allow_token_document}} will contain SIDs that are prefixed 
with 'InternalAD', for example:

{{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}

However, the prefix is _always_ 'InternalAD', even if the user/group actually 
belongs to the {{external.com}} domain. Therefore it is not possible for users 
in the {{external.com}} domain to get any search results, because the authority 
service tokens will not match the stored tokens.

In essence, there seems to be a mismatch between the tokens that the authority 
service outputs, and those that repository connectors output.

Perhaps one solution would be to use the authority 'None (Global Authority)', 
and modify the authority service to take an extra query parameter that prevents 
it from prefixing SIDs with the authority name.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to