[ https://issues.apache.org/jira/browse/CONNECTORS-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253310#comment-13253310 ]
Colin Anderson commented on CONNECTORS-460: ------------------------------------------- I've got it built and running, but I'm unable to get a connection to AD working. I've added one domain with the following parameters: {quote} Domain controller name: ap.internal.com Domain suffix: @ap.internal.com Administrative user name: 123456 Authentication: simple Login attribute: sAMAccountName {quote} When I hit save I get this error {quote} Threw exception: 'Authentication problem authenticating admin user '123456': [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece�]' {quote} Any idea what could be wrong? > ManifoldCF authority service doesn't handle multi-domain environments > --------------------------------------------------------------------- > > Key: CONNECTORS-460 > URL: https://issues.apache.org/jira/browse/CONNECTORS-460 > Project: ManifoldCF > Issue Type: Improvement > Components: Active Directory authority, Authority Service > Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3, > ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6 > Environment: Two Active Directory domains: {{internal.com}} and > {{external.com}} > I'm indexing a Sharepoint site, where that site has permissions set > from_both_domains > Reporter: Colin Anderson > Assignee: Karl Wright > Labels: active-directory, authorization, security > Fix For: ManifoldCF 0.6 > > > The ManifoldCF authority service doesn't handle multi-domain environments. > The authority service returns a list of SIDs for the specified user, from all > available ManifoldCF authorities, for example: > {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}} > Note that the SID is prefixed with the name of the ManifoldCF authority. > Here is my setup: > Output connector: Solr > Authority connector1: Active Directory ({{internal.com}} domain), named > {{InternalAD}} > Authority connector2: Active Directory ({{external.com}} domain), named > {{ExternalAD}} > Repository connector: Sharepoint > If I set the Sharepoint repository connector to use the authority 'None > (Global Authority)', then {{allow_token_document}} will contain SIDs that are > _not_ prefixed with any authority name, for example: > {{S-1-5-21-1234567890-1234567890-1234567890-1234}} > It is therefore not possible to get any search results, because the authority > service tokens will not match the stored tokens (because they _are_ prefixed > with authority names). > If I set the Sharepoint repository connector to use one of the AD authorities > 'InternalAD', then {{allow_token_document}} will contain SIDs that are > prefixed with 'InternalAD', for example: > {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}} > However, the prefix is _always_ 'InternalAD', even if the user/group actually > belongs to the {{external.com}} domain. Therefore it is not possible for > users in the {{external.com}} domain to get any search results, because the > authority service tokens will not match the stored tokens. > In essence, there seems to be a mismatch between the tokens that the > authority service outputs, and those that repository connectors output. > Perhaps one solution would be to use the authority 'None (Global Authority)', > and modify the authority service to take an extra query parameter that > prevents it from prefixing SIDs with the authority name. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira