[
https://issues.apache.org/jira/browse/CONNECTORS-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253396#comment-13253396
]
Colin Anderson commented on CONNECTORS-460:
-------------------------------------------
Hi Karl,
I can create the authority with multiple domains now, so that side seems OK.
When crawling, I get {{allow_token_document}} values all prefixed with the name
of new, single authority.
But the ManifoldCF authority service doesn't work - if I call:
{{http://localhost:8345/mcf-authority-service/UserACLs?username=123...@ap.enterdir.com}}
I get:
{{UNREACHABLEAUTHORITY:Active+Directory}}
{{TOKEN:AD:DEAD_AUTHORITY}}
And in the log I see:
{quote}
WARN 2012-04-13 15:06:07,253 (Auth check thread 0) - Authority connection
error: null
java.lang.NullPointerException
at
org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority$AuthorizationResponseDescription.getCriticalSectionName(ActiveDirectoryAuthority.java:1024)
at
org.apache.manifoldcf.core.cachemanager.CacheManager.enterCreateSection(CacheManager.java:343)
at
org.apache.manifoldcf.authorities.authorities.activedirectory.ActiveDirectoryAuthority.getAuthorizationResponse(ActiveDirectoryAuthority.java:260)
at
org.apache.manifoldcf.authorities.system.AuthCheckThread.run(AuthCheckThread.java:92)
WARN 2012-04-13 15:06:07,253 (13242994@qtp-32105264-0) - Authority 'Active
Directory' is unreachable for user '123...@ap.enterdir.com'
{quote}
I get the same if I try with a user in the {{external.com}} domain.
> ManifoldCF authority service doesn't handle multi-domain environments
> ---------------------------------------------------------------------
>
> Key: CONNECTORS-460
> URL: https://issues.apache.org/jira/browse/CONNECTORS-460
> Project: ManifoldCF
> Issue Type: Improvement
> Components: Active Directory authority, Authority Service
> Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3,
> ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6
> Environment: Two Active Directory domains: {{internal.com}} and
> {{external.com}}
> I'm indexing a Sharepoint site, where that site has permissions set
> from_both_domains
> Reporter: Colin Anderson
> Assignee: Karl Wright
> Labels: active-directory, authorization, security
> Fix For: ManifoldCF 0.6
>
>
> The ManifoldCF authority service doesn't handle multi-domain environments.
> The authority service returns a list of SIDs for the specified user, from all
> available ManifoldCF authorities, for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> Note that the SID is prefixed with the name of the ManifoldCF authority.
> Here is my setup:
> Output connector: Solr
> Authority connector1: Active Directory ({{internal.com}} domain), named
> {{InternalAD}}
> Authority connector2: Active Directory ({{external.com}} domain), named
> {{ExternalAD}}
> Repository connector: Sharepoint
> If I set the Sharepoint repository connector to use the authority 'None
> (Global Authority)', then {{allow_token_document}} will contain SIDs that are
> _not_ prefixed with any authority name, for example:
> {{S-1-5-21-1234567890-1234567890-1234567890-1234}}
> It is therefore not possible to get any search results, because the authority
> service tokens will not match the stored tokens (because they _are_ prefixed
> with authority names).
> If I set the Sharepoint repository connector to use one of the AD authorities
> 'InternalAD', then {{allow_token_document}} will contain SIDs that are
> prefixed with 'InternalAD', for example:
> {{TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234}}
> However, the prefix is _always_ 'InternalAD', even if the user/group actually
> belongs to the {{external.com}} domain. Therefore it is not possible for
> users in the {{external.com}} domain to get any search results, because the
> authority service tokens will not match the stored tokens.
> In essence, there seems to be a mismatch between the tokens that the
> authority service outputs, and those that repository connectors output.
> Perhaps one solution would be to use the authority 'None (Global Authority)',
> and modify the authority service to take an extra query parameter that
> prevents it from prefixing SIDs with the authority name.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
