This looked very good, so I committed it as-is. It does, however, invalidate Shinichiro's earlier patch for CONNECTORS-197. Would you know what the login id field would be if the active directory instance does not have sAMAccountName? Is it uid?
Karl On Fri, May 6, 2011 at 6:24 PM, Kadri Atalay <atalay.ka...@gmail.com> wrote: > Hi Karl, > > While looking over AD access and attributes, I found that > "distinguishedName" > attribute contains all the information we need for TokenGroups search, in > the correct format ie: > "CN=Administrator,CN=Users,DC=qa-ad-76,DC=metacarta,DC=com"; > and by using this attribute instead of CN, we don't need to build the > searchbase ourselves. > > There are 2 advantages of using this attribute: > 1- Even if the user is not part of users group (whatever the reason maybe) > we still get the results back, because his information is included in the > "distinguishedName" attribute. > 2- We don't need to do treat any special characters like comma, etc.. (it's > already formatted). > > I tested the code it works. Please see attached for the latest. > > Thanks > > Kadri > > Following is no longer needed: > StringBuffer sb = new StringBuffer(); > sb.append("CN=").append(ldapEscape(userCN)).append(",CN=Users,"); > sb.append(domainsb); > > > > > > On Fri, May 6, 2011 at 11:03 AM, Kadri Atalay <atalay.ka...@gmail.com> > wrote: >> >> Hi Karl, >> >> Tested, and it's working. >> >> Thanks! >> >> Kadri >> >> >> On Thu, May 5, 2011 at 7:29 PM, Karl Wright <daddy...@gmail.com> wrote: >>> >>> I think yours was working because it was returning "cn=null, >>> cn=users", which was a result of the fact that cn was null and the >>> expression was assembled using the "+" operator. When I separated the >>> ldap escape out, it caused a null pointer exception to be thrown >>> instead. It should be fixed now. >>> >>> Karl >>> >>> >>> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.ka...@gmail.com> >>> wrote: >>> > Fyi. The file I sent you was returning usernotfound. >>> > >>> > >>> > Sent from my iPhone >>> > >>> > On May 5, 2011, at 7:12 PM, Karl Wright <daddy...@gmail.com> wrote: >>> > >>> >> It must mean we're somehow throwing an exception in the case where the >>> >> user is missing. I bet I know why - the CN lookup is failing instead. >>> >> I'll see if I can change it. >>> >> >>> >> Karl >>> >> >>> >> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.ka...@gmail.com> >>> >> wrote: >>> >>> It works, only difference I see with previous one is: if a domain is >>> >>> reachable, message usernotfound makes a better indicator, somehow we >>> >>> lost >>> >>> that. >>> >>> >>> >>> >>> >>> C:\OPT>testauthority >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser" >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain" >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com" >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> Previous one >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com" >>> >>> USERNOTFOUND:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa" >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com" >>> >>> AUTHORIZED:TEQA-DC >>> >>> TOKEN:TEQA-DC:S-1-5-32-545 >>> >>> TOKEN:TEQA-DC:S-1-5-32-544 >>> >>> TOKEN:TEQA-DC:S-1-5-32-555 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>> >>> TOKEN:TEQA-DC:S-1-1-0 >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=kata...@teqa.filetek.com" >>> >>> AUTHORIZED:TEQA-DC >>> >>> TOKEN:TEQA-DC:S-1-5-32-545 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> >>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473 >>> >>> TOKEN:TEQA-DC:S-1-1-0 >>> >>> >>> >>> C:\OPT>curl >>> >>> >>> >>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain" >>> >>> UNREACHABLEAUTHORITY:TEQA-DC >>> >>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>> >>> >>> >>> >>> >>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddy...@gmail.com> >>> >>> wrote: >>> >>>> >>> >>>> I've cleaned things up slightly to restore the objectSid and also to >>> >>>> fix an infinite loop ifyou have more than one comma in the escape >>> >>>> expression. I've attached the file, can you see if it works? >>> >>>> >>> >>>> Thanks, >>> >>>> Karl >>> >>>> >>> >>>> >>> >>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddy...@gmail.com> >>> >>>> wrote: >>> >>>>> Thanks - we do need the user sid, so I will put that back. >>> >>>>> >>> >>>>> Also, I'd like to ask what you know about escaping the user name in >>> >>>>> this expression: >>> >>>>> >>> >>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName=" + >>> >>>>> userName >>> >>>>> + "))"; >>> >>>>> >>> >>>>> It seems to me that there is probably some escaping needed, but I >>> >>>>> don't know what style. Do you think it is the same (C-style, with >>> >>>>> \ >>> >>>>> escape) as for the other case? >>> >>>>> >>> >>>>> Karl >>> >>>>> >>> >>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay >>> >>>>> <atalay.ka...@gmail.com> >>> >>>>> wrote: >>> >>>>>> Hi Karl, >>> >>>>>> >>> >>>>>> String returnedAtts[]={"tokenGroups"} is ONLY returning the >>> >>>>>> memberGroups, >>> >>>>>> >>> >>>>>> C:\OPT>curl >>> >>>>>> >>> >>>>>> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com" >>> >>>>>> AUTHORIZED:TEQA-DC >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21- >>> >>>>>> 1212545812-2858578934-3563067286-1124 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0 >>> >>>>>> >>> >>>>>> but, >>> >>>>>> >>> >>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"}; is >>> >>>>>> returning >>> >>>>>> memberGroups AND SID for that user. >>> >>>>>> >>> >>>>>> C:\OPT>curl >>> >>>>>> >>> >>>>>> >>> >>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com" >>> >>>>>> AUTHORIZED:TEQA-DC >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>> >>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>> >>>>>> TOKEN:TEQA-DC:S-1-1-0 >>> >>>>>> >>> >>>>>> Since we are only interested in the member groups, tokenGroups is >>> >>>>>> sufficient, but if you also need user SID then you might keep the >>> >>>>>> objectSID >>> >>>>>> as well. >>> >>>>>> >>> >>>>>> Thanks >>> >>>>>> >>> >>>>>> Kadri >>> >>>>>> >>> >>>>>> >>> >>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddy...@gmail.com> >>> >>>>>> wrote: >>> >>>>>>> >>> >>>>>>> I am curious about the following change, which does not seem >>> >>>>>>> correct: >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> //Specify the attributes to return >>> >>>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"}; >>> >>>>>>> + String returnedAtts[]={"tokenGroups"}; >>> >>>>>>> searchCtls.setReturningAttributes(returnedAtts); >>> >>>>>>> >>> >>>>>>> Karl >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay >>> >>>>>>> <atalay.ka...@gmail.com> >>> >>>>>>> wrote: >>> >>>>>>>> Karl, >>> >>>>>>>> >>> >>>>>>>> The ActiveDirectoryAuthority.java is attached. >>> >>>>>>>> >>> >>>>>>>> I'm not sure about clicking "Grant ASF License", or how to do >>> >>>>>>>> that >>> >>>>>>>> from >>> >>>>>>>> Tortoise. >>> >>>>>>>> But, you got my consent for granting the ASF license. >>> >>>>>>>> >>> >>>>>>>> Thanks >>> >>>>>>>> >>> >>>>>>>> Kadri >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddy...@gmail.com> >>> >>>>>>>> wrote: >>> >>>>>>>>> >>> >>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java file to >>> >>>>>>>>> the >>> >>>>>>>>> ticket if you prefer. But you must click the "Grant ASF >>> >>>>>>>>> License" >>> >>>>>>>>> button. >>> >>>>>>>>> >>> >>>>>>>>> Karl >>> >>>>>>>>> >>> >>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay >>> >>>>>>>>> <atalay.ka...@gmail.com> >>> >>>>>>>>> wrote: >>> >>>>>>>>>> Karl, >>> >>>>>>>>>> >>> >>>>>>>>>> I'm using the Tortoise SVN, and new to SVN.. >>> >>>>>>>>>> Do you know how to do this with Tortoise ? >>> >>>>>>>>>> Otherwise, I can just send the source code directly to you. >>> >>>>>>>>>> BTW, there are some changes in the ParseUser method also, you >>> >>>>>>>>>> can >>> >>>>>>>>>> see >>> >>>>>>>>>> all >>> >>>>>>>>>> when you run the diff. >>> >>>>>>>>>> >>> >>>>>>>>>> Thanks >>> >>>>>>>>>> >>> >>>>>>>>>> Kadri >>> >>>>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>> >>> >>> >>> >>> >>> > >> > >