[ https://issues.apache.org/jira/browse/CONNECTORS-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253396#comment-13253396 ]
Colin Anderson commented on CONNECTORS-460: ------------------------------------------- Hi Karl, I can create the authority with multiple domains now, so that side seems OK. When crawling, I get {{allow_token_document}} values all prefixed with the name of new, single authority. But the ManifoldCF authority service doesn't work - if I call: {{http://localhost:8345/mcf-authority-service/UserACLs?username=123...@ap.enterdir.com}} I get: {{UNREACHABLEAUTHORITY:Active+Directory}} {{TOKEN:AD:DEAD_AUTHORITY}} And in the log I see: {quote} WARN 2012-04-13 15:06:07,253 (Auth check thread 0) - Authority connection error: null java.lang.NullPointerException at org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority$AuthorizationResponseDescription.getCriticalSectionName(ActiveDirectoryAuthority.java:1024) at org.apache.manifoldcf.core.cachemanager.CacheManager.enterCreateSection(CacheManager.java:343) at org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority.getAuthorizationResponse(ActiveDirectoryAuthority.java:260) at org.apache.manifoldcf.authorities.system.AuthCheckThread.run(AuthCheckThread.java:92) WARN 2012-04-13 15:06:07,253 (13242994@qtp-32105264-0) - Authority 'Active Directory' is unreachable for user '123...@ap.enterdir.com' {quote} I get the same if I try with a user in the {{external.com}} domain. > ManifoldCF authority service doesn't handle multi-domain environments > --------------------------------------------------------------------- > > Key: CONNECTORS-460 > URL: https://issues.apache.org/jira/browse/CONNECTORS-460 > Project: ManifoldCF > Issue Type: Improvement > Components: Active Directory authority, Authority Service > Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3, > ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6 > Environment: Two Active Directory domains: {{internal.com}} and > {{external.com}} > I'm indexing a Sharepoint site, where that site has permissions set > from_both_domains > Reporter: Colin Anderson > Assignee: Karl Wright > Labels: active-directory, authorization, security > Fix For: ManifoldCF 0.6 > > > The ManifoldCF authority service doesn't handle multi-domain environments. > The authority service returns a list of SIDs for the specified user, from all > available ManifoldCF authorities, for example: > {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}} > Note that the SID is prefixed with the name of the ManifoldCF authority. > Here is my setup: > Output connector: Solr > Authority connector1: Active Directory ({{internal.com}} domain), named > {{InternalAD}} > Authority connector2: Active Directory ({{external.com}} domain), named > {{ExternalAD}} > Repository connector: Sharepoint > If I set the Sharepoint repository connector to use the authority 'None > (Global Authority)', then {{allow_token_document}} will contain SIDs that are > _not_ prefixed with any authority name, for example: > {{S-1-5-21-1234567890-1234567890-1234567890-1234}} > It is therefore not possible to get any search results, because the authority > service tokens will not match the stored tokens (because they _are_ prefixed > with authority names). > If I set the Sharepoint repository connector to use one of the AD authorities > 'InternalAD', then {{allow_token_document}} will contain SIDs that are > prefixed with 'InternalAD', for example: > {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}} > However, the prefix is _always_ 'InternalAD', even if the user/group actually > belongs to the {{external.com}} domain. Therefore it is not possible for > users in the {{external.com}} domain to get any search results, because the > authority service tokens will not match the stored tokens. > In essence, there seems to be a mismatch between the tokens that the > authority service outputs, and those that repository connectors output. > Perhaps one solution would be to use the authority 'None (Global Authority)', > and modify the authority service to take an extra query parameter that > prevents it from prefixing SIDs with the authority name. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira