[jira] [Commented] (CONNECTORS-891) SharePoint 2010 claim space authorization fails for AD groups

Sun, 16 Feb 2014 11:17:23 -0800 

    [ 
https://issues.apache.org/jira/browse/CONNECTORS-891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13902788#comment-13902788
 ] 

Karl Wright commented on CONNECTORS-891:
----------------------------------------

r1568808 (trunk)


> SharePoint 2010 claim space authorization fails for AD groups
> -------------------------------------------------------------
>
>                 Key: CONNECTORS-891
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-891
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: SharePoint connector
>    Affects Versions: ManifoldCF 1.5
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.5.1, ManifoldCF 1.6
>
>
> It looks like, at least in some cases, in SharePoint 2010 it is not 
> SharePoint groups that correspond to AD groups, but rather SharePoint *users* 
> that correspond to AD groups.  For example:
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
>    <soap:Body>
>       <GetUserCollectionFromGroupResponse 
> xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/";>
>          <GetUserCollectionFromGroupResult>
>             <GetUserCollectionFromGroup>
>                <Users>
>                   <User ID="3620" Sid="" Name="Axxx Dxxx" 
> LoginName="i:0#.w|domain\dxxx" Email="..." Notes="" IsSiteAdmin="False" 
> IsDomainGroup="False" Flags="0"/>
>                   <User ID="1199" Sid="" Name="itstrain" 
> LoginName="i:0#.w|domain\itstrain" Email="..." Notes="" IsSiteAdmin="False" 
> IsDomainGroup="False" Flags="0"/>
>                   <User ID="2871" Sid="" Name="Law Library helpdesk account" 
> LoginName="i:0#.w|domain\reflaw" Email="..." Notes="" IsSiteAdmin="False" 
> IsDomainGroup="False" Flags="0"/>
>                   <User ID="5135" Sid="" Name="Library Desk - GP" 
> LoginName="i:0#.w|domain\lib-deskgp" Email="" Notes="" IsSiteAdmin="False" 
> IsDomainGroup="False" Flags="0"/>
>                   <User ID="5899" Sid="" Name="DOMAIN\$0kjf00-gcsje70g79fm" 
> LoginName="c:0+.w|s-1-5-21-3052554794-3770484871-3874881240-511616" Email="" 
> Notes="" IsSiteAdmin="False" IsDomainGroup="True" Flags="0"/>
>                </Users>
>             </GetUserCollectionFromGroup>
>          </GetUserCollectionFromGroupResult>
>       </GetUserCollectionFromGroupResponse>
>    </soap:Body>
> </soap:Envelope>
> {code}
> We therefore need to look at child users of groups to come up with the right 
> tokens.  Furthermore, the SharePoint/AD authority should always generate user 
> tokens, not group tokens.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to