*Yes, ManifoldCF is running with JCIFS connector, and using Solr 3.1 response to first call:* C:\OPT\security_example>curl " http://localhost:8345/mcf-authority-service/UserACLs?username=joe" UNREACHABLEAUTHORITY:TEQA-DC TOKEN:TEQA-DC:DEAD_AUTHORITY
*response to fake domain call:* C:\OPT\security_example>curl " http://localhost:8345/mcf-authority-service/UserACLs?username=joe@fakedomain " AUTHORIZED:TEQA-DC TOKEN:TEQA-DC:S-1-1-0 *response to actual domain account call:* C:\OPT\security_example>curl " http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa " AUTHORIZED:TEQA-DC TOKEN:TEQA-DC:S-1-1-0 Looks like as long as there is a domain suffix, return is positive.. Thanks Kadri On Tue, Apr 26, 2011 at 12:10 PM, Karl Wright <daddy...@gmail.com> wrote: > So you are trying to extend the example in the book, correct, to run > against active directory and the JCIFS connector? And this is with > Solr 3.1? > > The book was written for Solr 1.4.1, so it's entirely possible that > something in Solr changed in relation to the way search components are > used. So I think we're going to need to do some debugging. > > (1) First, to confirm sanity, try using curl against the mcf authority > service. Try some combination of users to see how that works, e.g.: > > curl "http://localhost:8345/mcf-authority-service/UserACLs?username=joe" > > ...and > > curl " > http://localhost:8345/mcf-authority-service/UserACLs?username=joe@fakedomain > " > > ...and also the real domain name, whatever that is. See if the access > tokens that come back look correct. If they don't then we know where > there's an issue. > > If they *are* correct, let me know and we'll go to the next stage, > which would be to make sure the authority service is actually getting > called and the proper query is being built and run under Solr 3.1. > > Thanks, > Karl > > On Tue, Apr 26, 2011 at 11:59 AM, Kadri Atalay <atalay.ka...@gmail.com> > wrote: > > Hi Karl, > > > > I followed the instructions, and for testing purposes set "stored=true" > to > > be able to see the ACL values stored in Solr. > > > > But, when I run the search in following format I get peculiar results.. > > : > http://10.1.200.155:8080/solr/select/?q=*%3A*&AuthenticatedUserName=username > > > > Any user name without a domain name ie AuthenticatedUserName=joe does > not > > return any results (which is correct) > > But any user name with ANY domain name returns all the indexes ie > > AuthenticatedUserName=joe@fakedomain (which is not correct) > > > > Any thoughts ? > > > > Thanks > > > > Kadri > > > > On Sun, Apr 24, 2011 at 7:08 PM, Karl Wright <daddy...@gmail.com> wrote: > >> > >> Solr 3.1 is being clever here; it's seeing arguments coming in that do > >> not correspond to known schema fields, and presuming they are > >> "automatic" fields. So when the schema is unmodified, you see these > >> fields that Solr creates for you, with the attr_ prefix. They are > >> created as being "stored", which is not good for access tokens since > >> then you will see them in the response. I don't know if they are > >> indexed or not, but I imagine not, which is also not good. > >> > >> So following the instructions is still the right thing to do, I would > say. > >> > >> Karl > >> > >> On Fri, Apr 22, 2011 at 3:24 PM, Kadri Atalay <atalay.ka...@gmail.com> > >> wrote: > >> > Hi Karl, > >> > > >> > There is one thing I noticed while following the example in chapter > 4.: > >> > Prior to making any changes into the schema.xml, I was able to see the > >> > following security information in query responses: > >> > ie: > >> > > >> > <doc> > >> > - > >> > <arr name="attr_allow_token_document"> > >> > <str>TEQA-DC:S-1-3-0</str> > >> > <str>TEQA-DC:S-1-5-13</str> > >> > <str>TEQA-DC:S-1-5-18</str> > >> > <str>TEQA-DC:S-1-5-32-544</str> > >> > <str>TEQA-DC:S-1-5-32-545</str> > >> > <str>TEQA-DC:S-1-5-32-547</str> > >> > </arr> > >> > - > >> > <arr name="attr_allow_token_share"> > >> > <str>TEQA-DC:S-1-1-0</str> > >> > <str>TEQA-DC:S-1-5-2</str> > >> > - > >> > <str> > >> > TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 > >> > </str> > >> > </arr> > >> > - > >> > <arr name="attr_content"> > >> > - > >> > <str> > >> > Autonomy ODBC Fetch Technical Brief 0506 > >> > Technical Brief > >> > > >> > > >> > But, after I modified the schema/xml, and added the following fields, > >> > <!-- Security fields --> > >> > <field name="allow_token_document" type="string" indexed="true" > >> > stored="false" multiValued="true"/> > >> > <field name="deny_token_document" type="string" indexed="true" > >> > stored="false" multiValued="true"/> > >> > <field name="allow_token_share" type="string" indexed="true" > >> > stored="false" multiValued="true"/> > >> > <field name="deny_token_share" type="string" indexed="true" > >> > stored="false" multiValued="true"/> > >> > > >> > I longer see neither the attr_allow_token_document or the > >> > allow_token_document fields.. > >> > > >> > Since same fields exist with attr_ prefix, should we need to add > these > >> > new > >> > field names into the schema file, or can we simply change > >> > ManifoldSecurity > >> > to use attr_ fields ? > >> > > >> > Also, when Solr is running under Tomcat, I have to re-start the Solr > >> > App, or > >> > re-start Tomcat to see the newly added indexes.. > >> > > >> > Any thoughts ? > >> > > >> > Thanks > >> > > >> > Kadri > >> > > >> > On Fri, Apr 22, 2011 at 12:53 PM, Karl Wright <daddy...@gmail.com> > >> > wrote: > >> >> > >> >> I don't believe Solr has yet officially released document access > >> >> control, so you will need to use the patch for ticket 1895. > >> >> Alternatively, the ManifoldCF in Action chapter 4 example has an > >> >> implementation based on this ticket. You can get the code for it at > >> >> > >> >> > >> >> > https://manifoldcfinaction.googlecode.com/svn/trunk/edition_1/security_example > . > >> >> > >> >> Thanks, > >> >> Karl > >> >> > >> >> > >> >> On Fri, Apr 22, 2011 at 11:45 AM, Kadri Atalay < > atalay.ka...@gmail.com> > >> >> wrote: > >> >> > Hello, > >> >> > > >> >> > Does anyone know which version of Solr have implements the Document > >> >> > Level > >> >> > Access Control, or has it implemented (partially or fully) ? > >> >> > Particularly issue #s 1834, 1872, 1895 > >> >> > > >> >> > Thanks > >> >> > > >> >> > Kadri > >> >> > > >> > > >> > > > > > >