[
https://issues.apache.org/jira/browse/CONNECTORS-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253310#comment-13253310
]
Colin Anderson commented on CONNECTORS-460:
-------------------------------------------
I've got it built and running, but I'm unable to get a connection to AD working.
I've added one domain with the following parameters:
{quote}
Domain controller name: ap.internal.com
Domain suffix: @ap.internal.com
Administrative user name: 123456
Authentication: simple
Login attribute: sAMAccountName
{quote}
When I hit save I get this error
{quote}
Threw exception: 'Authentication problem authenticating admin user '123456':
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece�]'
{quote}
Any idea what could be wrong?
> ManifoldCF authority service doesn't handle multi-domain environments
> ---------------------------------------------------------------------
>
> Key: CONNECTORS-460
> URL: https://issues.apache.org/jira/browse/CONNECTORS-460
> Project: ManifoldCF
> Issue Type: Improvement
> Components: Active Directory authority, Authority Service
> Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3,
> ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6
> Environment: Two Active Directory domains: {{internal.com}} and
> {{external.com}}
> I'm indexing a Sharepoint site, where that site has permissions set
> from_both_domains
> Reporter: Colin Anderson
> Assignee: Karl Wright
> Labels: active-directory, authorization, security
> Fix For: ManifoldCF 0.6
>
>
> The ManifoldCF authority service doesn't handle multi-domain environments.
> The authority service returns a list of SIDs for the specified user, from all
> available ManifoldCF authorities, for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> Note that the SID is prefixed with the name of the ManifoldCF authority.
> Here is my setup:
> Output connector: Solr
> Authority connector1: Active Directory ({{internal.com}} domain), named
> {{InternalAD}}
> Authority connector2: Active Directory ({{external.com}} domain), named
> {{ExternalAD}}
> Repository connector: Sharepoint
> If I set the Sharepoint repository connector to use the authority 'None
> (Global Authority)', then {{allow_token_document}} will contain SIDs that are
> _not_ prefixed with any authority name, for example:
> {{S-1-5-21-1234567890-1234567890-1234567890-1234}}
> It is therefore not possible to get any search results, because the authority
> service tokens will not match the stored tokens (because they _are_ prefixed
> with authority names).
> If I set the Sharepoint repository connector to use one of the AD authorities
> 'InternalAD', then {{allow_token_document}} will contain SIDs that are
> prefixed with 'InternalAD', for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> However, the prefix is _always_ 'InternalAD', even if the user/group actually
> belongs to the {{external.com}} domain. Therefore it is not possible for
> users in the {{external.com}} domain to get any search results, because the
> authority service tokens will not match the stored tokens.
> In essence, there seems to be a mismatch between the tokens that the
> authority service outputs, and those that repository connectors output.
> Perhaps one solution would be to use the authority 'None (Global Authority)',
> and modify the authority service to take an extra query parameter that
> prevents it from prefixing SIDs with the authority name.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
