This looked very good, so I committed it as-is. It does, however,
invalidate Shinichiro's earlier patch for CONNECTORS-197. Would you
know what the login id field would be if the active directory instance
does not have sAMAccountName? Is it uid?
Karl
On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay <atalay.ka...@gmail.com> wrote:
> Hi Karl,
>
> While looking over AD access and attributes, I found that
> "distinguishedName"
> attribute contains all the information we need for TokenGroups search, in
> the correct format ie:
> "CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com";
> and by using this attribute instead of CN, we don't need to build the
> searchbase ourselves.
>
> There are 2 advantages of using this attribute:
> 1- Even if the user is not part of users group (whatever the reason maybe)
> we still get the results back, because his information is included in the
> "distinguishedName" attribute.
> 2- We don't need to do treat any special characters like comma, etc.. (it's
> already formatted).
>
> I tested the code it works. Please see attached for the latest.
>
> Thanks
>
> Kadri
>
> Following is no longer needed:
> StringBuffer sb = new StringBuffer();
> sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,");
> sb.append(domainsb);
>
>
>
>
>
> On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.ka...@gmail.com>
> wrote:
>>
>> Hi Karl,
>>
>> Tested, and it's working.
>>
>> Thanks!
>>
>> Kadri
>>
>>
>> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddy...@gmail.com> wrote:
>>>
>>> I think yours was working because it was returning "cn=null,
>>> cn=users", which was a result of the fact that cn was null and the
>>> expression was assembled using the "+" operator. When I separated the
>>> ldap escape out, it caused a null pointer exception to be thrown
>>> instead. It should be fixed now.
>>>
>>> Karl
>>>
>>>
>>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.ka...@gmail.com>
>>> wrote:
>>> > Fyi. The file I sent you was returning usernotfound.
>>> >
>>> >
>>> > Sent from my iPhone
>>> >
>>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddy...@gmail.com> wrote:
>>> >
>>> >> It must mean we're somehow throwing an exception in the case where the
>>> >> user is missing. I bet I know why - the CN lookup is failing instead.
>>> >> I'll see if I can change it.
>>> >>
>>> >> Karl
>>> >>
>>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.ka...@gmail.com>
>>> >> wrote:
>>> >>> It works, only difference I see with previous one is: if a domain is
>>> >>> reachable, message usernotfound makes a better indicator, somehow we
>>> >>> lost
>>> >>> that.
>>> >>>
>>> >>>
>>> >>> C:\OPT>testauthority
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser";
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain";
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com";
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> Previous one
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com";
>>> >>> USERNOTFOUND:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa";
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>>> >>> AUTHORIZED:TEQA-DC
>>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> >>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=kata...@teqa.filetek.com";
>>> >>> AUTHORIZED:TEQA-DC
>>> >>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>>> >>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>
>>> >>> C:\OPT>curl
>>> >>>
>>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain";
>>> >>> UNREACHABLEAUTHORITY:TEQA-DC
>>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>> >>>
>>> >>>
>>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddy...@gmail.com>
>>> >>> wrote:
>>> >>>>
>>> >>>> I've cleaned things up slightly to restore the objectSid and also to
>>> >>>> fix an infinite loop ifyou have more than one comma in the escape
>>> >>>> expression. I've attached the file, can you see if it works?
>>> >>>>
>>> >>>> Thanks,
>>> >>>> Karl
>>> >>>>
>>> >>>>
>>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddy...@gmail.com>
>>> >>>> wrote:
>>> >>>>> Thanks - we do need the user sid, so I will put that back.
>>> >>>>>
>>> >>>>> Also, I'd like to ask what you know about escaping the user name in
>>> >>>>> this expression:
>>> >>>>>
>>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName=" +
>>> >>>>> userName
>>> >>>>> + "))";
>>> >>>>>
>>> >>>>> It seems to me that there is probably some escaping needed, but I
>>> >>>>> don't know what style. Do you think it is the same (C-style, with
>>> >>>>> \
>>> >>>>> escape) as for the other case?
>>> >>>>>
>>> >>>>> Karl
>>> >>>>>
>>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay
>>> >>>>> <atalay.ka...@gmail.com>
>>> >>>>> wrote:
>>> >>>>>> Hi Karl,
>>> >>>>>>
>>> >>>>>> String returnedAtts[]={"tokenGroups"} is ONLY returning the
>>> >>>>>> memberGroups,
>>> >>>>>>
>>> >>>>>> C:\OPT>curl
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>>> >>>>>> AUTHORIZED:TEQA-DC
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-
>>> >>>>>> 1212545812-2858578934-3563067286-1124
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>>>>
>>> >>>>>> but,
>>> >>>>>>
>>> >>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"}; is
>>> >>>>>> returning
>>> >>>>>> memberGroups AND SID for that user.
>>> >>>>>>
>>> >>>>>> C:\OPT>curl
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>>> >>>>>> AUTHORIZED:TEQA-DC
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> >>>>>> TOKEN:TEQA-DC:S-1-1-0
>>> >>>>>>
>>> >>>>>> Since we are only interested in the member groups, tokenGroups is
>>> >>>>>> sufficient, but if you also need user SID then you might keep the
>>> >>>>>> objectSID
>>> >>>>>> as well.
>>> >>>>>>
>>> >>>>>> Thanks
>>> >>>>>>
>>> >>>>>> Kadri
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddy...@gmail.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> I am curious about the following change, which does not seem
>>> >>>>>>> correct:
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> //Specify the attributes to return
>>> >>>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"};
>>> >>>>>>> + String returnedAtts[]={"tokenGroups"};
>>> >>>>>>> searchCtls.setReturningAttributes(returnedAtts);
>>> >>>>>>>
>>> >>>>>>> Karl
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay
>>> >>>>>>> <atalay.ka...@gmail.com>
>>> >>>>>>> wrote:
>>> >>>>>>>> Karl,
>>> >>>>>>>>
>>> >>>>>>>> The ActiveDirectoryAuthority.java is attached.
>>> >>>>>>>>
>>> >>>>>>>> I'm not sure about clicking "Grant ASF License", or how to do
>>> >>>>>>>> that
>>> >>>>>>>> from
>>> >>>>>>>> Tortoise.
>>> >>>>>>>> But, you got my consent for granting the ASF license.
>>> >>>>>>>>
>>> >>>>>>>> Thanks
>>> >>>>>>>>
>>> >>>>>>>> Kadri
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddy...@gmail.com>
>>> >>>>>>>> wrote:
>>> >>>>>>>>>
>>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java file to
>>> >>>>>>>>> the
>>> >>>>>>>>> ticket if you prefer. But you must click the "Grant ASF
>>> >>>>>>>>> License"
>>> >>>>>>>>> button.
>>> >>>>>>>>>
>>> >>>>>>>>> Karl
>>> >>>>>>>>>
>>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>> >>>>>>>>> <atalay.ka...@gmail.com>
>>> >>>>>>>>> wrote:
>>> >>>>>>>>>> Karl,
>>> >>>>>>>>>>
>>> >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN..
>>> >>>>>>>>>> Do you know how to do this with Tortoise ?
>>> >>>>>>>>>> Otherwise, I can just send the source code directly to you.
>>> >>>>>>>>>> BTW, there are some changes in the ParseUser method also, you
>>> >>>>>>>>>> can
>>> >>>>>>>>>> see
>>> >>>>>>>>>> all
>>> >>>>>>>>>> when you run the diff.
>>> >>>>>>>>>>
>>> >>>>>>>>>> Thanks
>>> >>>>>>>>>>
>>> >>>>>>>>>> Kadri
>>> >>>>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>
>>> >>>
>>> >
>>
>
>
