I should also add that it is really helpful for diagnosing problems of this kind to use curl, e.g.:
curl http://localhost:8345/mcf-authority-service/[email protected] ... and see what gets returned. If you see DEAD_AUTHORITY in the list of acls, don't expect to see any documents from the associated authority group. Thanks, Karl On Tue, Oct 28, 2014 at 12:09 PM, Karl Wright <[email protected]> wrote: > Hi Kambiz, > > The Active Directory authority is not an "additive" authority, so you > cannot use it within the same authorization group with other authorities, > and expect it to work cumulatively. The reason is that when there is a > problem (e.g. user not found or server unreachable), the authority asserts > the "DEAD_AUTHORITY" token, which effectively disables any documents from > being returned. This is necessary whenever the repository has a security > model that has "deny" tokens, and that's the case for most repositories > secured by Active Directory. > > For this reason, we long ago added the ability to have multiple Active > Directory domains within the same Active Directory authority. This is what > you should use, since it will behave in the manner you expect. > > Thanks, > Karl > > > On Tue, Oct 28, 2014 at 11:35 AM, Kambiz Niktabar <[email protected]> > wrote: > >> Hello, >> >> I want to have two active directory connections (intranet and extranet >> AD) in one Authority group but it seems it’s not working as expected. I’m >> getting hits when I have only Intranet AD in the authority group and I got >> zero hits when I add Extranet AD into the same authority group >> >> I attached Solr log files for two scenarios. >> >> Regards >> Kambiz >> > >
