I agree we probably want a compatibility switch in the configuration switch. I'll create a ticket for that tomorrow morning, unless you would like to do it first. ;-)
Karl On Fri, May 6, 2011 at 1:44 AM, Shinichiro Abe <shinichiro.ab...@gmail.com> wrote: > Hi. > > I ran test in my environment. It works well. > I confirmed that it was improved about the S-1-1-0 problem, incorrect > responses, and implements by samAccountName. > The test results are in attachments. > > One question: > Size of samAccountName is specified as less than 20 characters. > Size of Login Name is specified as over 20 characters(256). > if a user does not support old version of OS and support only new version, it > is hard for ManifoldCF to restrict 20 characters of Login name, I think. Is > it rare? Is it okay that MCF always refers to samAccountName? It seems that > we should add the compatible option. > > Thank you > Shinichiro Abe > > > > > On 2011/05/06, at 8:29, Karl Wright wrote: > >> I think yours was working because it was returning "cn=null, >> cn=users", which was a result of the fact that cn was null and the >> expression was assembled using the "+" operator. When I separated the >> ldap escape out, it caused a null pointer exception to be thrown >> instead. It should be fixed now. >> >> Karl >> >> >> On Thu, May 5, 2011 at 7:19 PM, Kadri Atalay <atalay.ka...@gmail.com> wrote: >>> Fyi. The file I sent you was returning usernotfound. >>> >>> >>> Sent from my iPhone >>> >>> On May 5, 2011, at 7:12 PM, Karl Wright <daddy...@gmail.com> wrote: >>> >>>> It must mean we're somehow throwing an exception in the case where the >>>> user is missing. I bet I know why - the CN lookup is failing instead. >>>> I'll see if I can change it. >>>> >>>> Karl >>>> >>>> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.ka...@gmail.com> >>>> wrote: >>>>> It works, only difference I see with previous one is: if a domain is >>>>> reachable, message usernotfound makes a better indicator, somehow we lost >>>>> that. >>>>> >>>>> >>>>> C:\OPT>testauthority >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser"; >>>>> UNREACHABLEAUTHORITY:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain"; >>>>> UNREACHABLEAUTHORITY:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com"; >>>>> UNREACHABLEAUTHORITY:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> Previous one >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com"; >>>>> USERNOTFOUND:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa"; >>>>> UNREACHABLEAUTHORITY:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com"; >>>>> AUTHORIZED:TEQA-DC >>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=kata...@teqa.filetek.com"; >>>>> AUTHORIZED:TEQA-DC >>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473 >>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>> >>>>> C:\OPT>curl >>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain"; >>>>> UNREACHABLEAUTHORITY:TEQA-DC >>>>> TOKEN:TEQA-DC:DEAD_AUTHORITY >>>>> >>>>> >>>>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddy...@gmail.com> wrote: >>>>>> >>>>>> I've cleaned things up slightly to restore the objectSid and also to >>>>>> fix an infinite loop ifyou have more than one comma in the escape >>>>>> expression. I've attached the file, can you see if it works? >>>>>> >>>>>> Thanks, >>>>>> Karl >>>>>> >>>>>> >>>>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddy...@gmail.com> wrote: >>>>>>> Thanks - we do need the user sid, so I will put that back. >>>>>>> >>>>>>> Also, I'd like to ask what you know about escaping the user name in >>>>>>> this expression: >>>>>>> >>>>>>> String searchFilter = "(&(objectClass=user)(sAMAccountName=" + userName >>>>>>> + "))"; >>>>>>> >>>>>>> It seems to me that there is probably some escaping needed, but I >>>>>>> don't know what style. Do you think it is the same (C-style, with \ >>>>>>> escape) as for the other case? >>>>>>> >>>>>>> Karl >>>>>>> >>>>>>> On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.ka...@gmail.com> >>>>>>> wrote: >>>>>>>> Hi Karl, >>>>>>>> >>>>>>>> String returnedAtts[]={"tokenGroups"} is ONLY returning the >>>>>>>> memberGroups, >>>>>>>> >>>>>>>> C:\OPT>curl >>>>>>>> >>>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com"; >>>>>>>> AUTHORIZED:TEQA-DC >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21- >>>>>>>> 1212545812-2858578934-3563067286-1124 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>>>>> >>>>>>>> but, >>>>>>>> >>>>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"}; is returning >>>>>>>> memberGroups AND SID for that user. >>>>>>>> >>>>>>>> C:\OPT>curl >>>>>>>> >>>>>>>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com"; >>>>>>>> AUTHORIZED:TEQA-DC >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-545 >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-544 >>>>>>>> TOKEN:TEQA-DC:S-1-5-32-555 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513 >>>>>>>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480 >>>>>>>> TOKEN:TEQA-DC:S-1-1-0 >>>>>>>> >>>>>>>> Since we are only interested in the member groups, tokenGroups is >>>>>>>> sufficient, but if you also need user SID then you might keep the >>>>>>>> objectSID >>>>>>>> as well. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Kadri >>>>>>>> >>>>>>>> >>>>>>>> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddy...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> I am curious about the following change, which does not seem correct: >>>>>>>>> >>>>>>>>> >>>>>>>>> //Specify the attributes to return >>>>>>>>> - String returnedAtts[] = {"tokenGroups","objectSid"}; >>>>>>>>> + String returnedAtts[]={"tokenGroups"}; >>>>>>>>> searchCtls.setReturningAttributes(returnedAtts); >>>>>>>>> >>>>>>>>> Karl >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.ka...@gmail.com> >>>>>>>>> wrote: >>>>>>>>>> Karl, >>>>>>>>>> >>>>>>>>>> The ActiveDirectoryAuthority.java is attached. >>>>>>>>>> >>>>>>>>>> I'm not sure about clicking "Grant ASF License", or how to do that >>>>>>>>>> from >>>>>>>>>> Tortoise. >>>>>>>>>> But, you got my consent for granting the ASF license. >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> Kadri >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddy...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> You may attach the whole ActiveDirectoryAuthority.java file to the >>>>>>>>>>> ticket if you prefer. But you must click the "Grant ASF License" >>>>>>>>>>> button. >>>>>>>>>>> >>>>>>>>>>> Karl >>>>>>>>>>> >>>>>>>>>>> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay >>>>>>>>>>> <atalay.ka...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> Karl, >>>>>>>>>>>> >>>>>>>>>>>> I'm using the Tortoise SVN, and new to SVN.. >>>>>>>>>>>> Do you know how to do this with Tortoise ? >>>>>>>>>>>> Otherwise, I can just send the source code directly to you. >>>>>>>>>>>> BTW, there are some changes in the ParseUser method also, you can >>>>>>>>>>>> see >>>>>>>>>>>> all >>>>>>>>>>>> when you run the diff. >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>>> Kadri >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>>> >>> > > >
