Hi Karl,
I have changed the authority group as Native Sharepoint instead of Active
Directory and I could see the allow tokens in Solr index as follow:
"allow_token_document":["Authority+Group:Ui%3A0%23.w%7Clagom%5Cadministrator",
"Authority+Group:GExcel+Services+Viewers",
"Authority+Group:GRestricted+Readers",
"Authority+Group:Gtestsite+Members",
"Authority+Group:GHierarchy+Managers",
"Authority+Group:GApprovers",
"Authority+Group:Gtestsite+Visitors",
"Authority+Group:Gtestsite+Owners",
"Authority+Group:GDesigners"],
If I select the "Active Directory" setting, I don't see any tokens.
"allow_token_document":["Authority+Group:"],
I tried user profile synchronization from Active Directory. I followed
https://blogs.technet.microsoft.com/meacoex/2013/08/04/step-by-step-active-directory-import-for-sharepoint-2013/
I could see all Active Directory users in Sharepoint. Then, I request
GetUserInfo and GetGroupCollectionFromUser in Sharepoint API via soapUI but
the Sid field is empty for all user. You can see the response as follow:
<GetUserInfo>
<User ID="17" Sid="" Name="testUser" LoginName="i:0#.w|lagom\testUser"
Email="[email protected]" Notes="" IsSiteAdmin="False"
IsDomainGroup="False" Flags="0"/>
</GetUserInfo>
<GetUserCollectionFromGroup>
<Users>
<User ID="17" Sid="" Name="testUser"
LoginName="i:0#.w|lagom\testUser" Email="[email protected]" Notes=""
IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
<User ID="18" Sid="" Name="testUser2"
LoginName="i:0#.w|lagom\testUser2" Email="" Notes="" IsSiteAdmin="False"
IsDomainGroup="False" Flags="0"/>
</Users>
</GetUserCollectionFromGroup>
I created an issue on stackexchange. You can see from:
http://sharepoint.stackexchange.com/questions/203761/sid-have-empty-values-after-sharepoint-userprofile-sync
I can see the "sid" value, If I request to sharepoint rest api as like:
<siteurl>/_api/sp.userprofiles.peoplemanager/getuserprofilepropertyfor(accountname=@v,
propertyname='SID')?@v='testdomain\testUser'
The response:
<d:GetUserProfilePropertyFor xmlns:d="
http://schemas.microsoft.com/ado/2007/08/dataservices"; xmlns:m="
http://schemas.microsoft.com/ado/2007/08/dataservices/metadata";
xmlns:georss="http://www.georss.org/georss"; xmlns:gml="
http://www.opengis.net/gml
">S-1-5-21-151231991-263585328-740192949-1109</d:GetUserProfilePropertyFor>
Then I saw a manifoldcf issue :
https://issues.apache.org/jira/browse/CONNECTORS-754 . The issue was
resolved. But I'm having the same problem.
2016-12-28 14:41 GMT+03:00 Karl Wright <[email protected]>:
> Hi Cihad,
>
> In your case, then, the connector is calling the "Users:
> GetUserCollectionFromGroup" SOAP method in the SharePoint API. This
> method is supposed to list the users that belong to the group, but I
> suspect that your SharePoint instance is not set up to work in that way,
> and that you should in fact set your MCF up as follows:
>
> - Do NOT select the "Active directory" setting. Use "claims-based"
> instead.
> - Use the appropriate SharePoint "native" authority.
>
> Read up on how to do that here:
>
> http://manifoldcf.apache.org/release/release-2.5/en_US/end-
> user-documentation.html#sharepointrepository
>
> Thanks,
> Karl
>
>
> On Wed, Dec 28, 2016 at 6:26 AM, Cihad Guzel <[email protected]> wrote:
>
>> Hi Karl,
>>
>> I selected "Active Directory". My SharePoint server run with Active
>> Directory.
>>
>> 2016-12-28 14:13 GMT+03:00 Karl Wright <[email protected]>:
>>
>>> Hi Cihad,
>>>
>>> The code for looking for document ACLs is as follows:
>>>
>>> >>>>>>
>>> Object node = nodeList.get( i );
>>> String mask = doc.getValue( node, "Mask" );
>>> long maskValue = new Long(mask).longValue();
>>> if ((maskValue & 1L) == 1L)
>>> {
>>> // Permission to view
>>> String isUser = doc.getValue( node, "MemberIsUser" );
>>>
>>> if ( isUser.compareToIgnoreCase("True") == 0 )
>>> {
>>> // Use AD user or group
>>> String userLogin = doc.getValue( node, "UserLogin" );
>>> String userSid = getSidForUser( userCall, userLogin,
>>> activeDirectoryAuthority );
>>> sids.add( userSid );
>>> }
>>> else
>>> {
>>> // Role
>>> List<String> roleSids;
>>> String roleName = doc.getValue( node, "RoleName" );
>>> if ( roleName.length() == 0)
>>> {
>>> roleName = doc.getValue(node,"GroupName");
>>> roleSids = getSidsForGroup(userCall, roleName,
>>> activeDirectoryAuthority);
>>> }
>>> else
>>> {
>>> roleSids = getSidsForRole(userCall, roleName,
>>> activeDirectoryAuthority);
>>> }
>>>
>>> for (String sid : roleSids)
>>> {
>>> sids.add( sid );
>>> }
>>> }
>>> }
>>>
>>> <<<<<<
>>>
>>> So, in your example, getSidsForGroup() should be getting called. The
>>> code for that is as follows:
>>>
>>> >>>>>>
>>> private List<String> getSidsForGroup(com.microsoft.
>>> schemas.sharepoint.soap.directory.UserGroupSoap userCall, String
>>> groupName,
>>> boolean activeDirectoryAuthority)
>>> throws ManifoldCFException, java.net.MalformedURLException,
>>> javax.xml.rpc.ServiceException, java.rmi.RemoteException
>>> {
>>> List<String> rval = new ArrayList<String>();
>>>
>>> com.microsoft.schemas.sharepoint.soap.directory.GetUserColle
>>> ctionFromGroupResponseGetUserCollectionFromGroupResult roleResp =
>>> userCall.getUserCollectionFromGroup(groupName);
>>> org.apache.axis.message.MessageElement[] roleList =
>>> roleResp.get_any();
>>>
>>> if (roleList.length != 1)
>>> throw new ManifoldCFException("Bad response - expecting one outer
>>> 'GetUserCollectionFromGroup' node, saw "+Integer.toString(roleList.le
>>> ngth));
>>>
>>> MessageElement roles = roleList[0];
>>> if (!roles.getElementName().getLocalName().equals("GetUserColle
>>> ctionFromGroup"))
>>> throw new ManifoldCFException("Bad response - outer node should
>>> have been 'GetUserCollectionFromGroup' node");
>>>
>>> Iterator rolesIter = roles.getChildElements();
>>>
>>> if (!activeDirectoryAuthority)
>>> {
>>> // We need not only the group itself, but its user children that
>>> are Claims-based entities
>>> rval.add("G"+groupName);
>>> while (rolesIter.hasNext())
>>> {
>>> MessageElement child = (MessageElement)rolesIter.next();
>>> if (child.getElementName().getLocalName().equals("Users"))
>>> {
>>> Iterator usersIterator = child.getChildElements();
>>> while (usersIterator.hasNext())
>>> {
>>> MessageElement user = (MessageElement)usersIterator.next();
>>> if (user.getElementName().getLocalName().equals("User"))
>>> {
>>> String isDomainGroup = user.getAttribute("IsDomainGroup");
>>> if (isDomainGroup != null && isDomainGroup.equals("True"))
>>> {
>>> // Add a user token for the domain group
>>> rval.add("U"+user.getAttribute("LoginName"));
>>> }
>>> }
>>> }
>>> }
>>> }
>>> }
>>> else
>>> {
>>> while (rolesIter.hasNext())
>>> {
>>> MessageElement child = (MessageElement)rolesIter.next();
>>> if (child.getElementName().getLocalName().equals("Users"))
>>> {
>>> Iterator usersIterator = child.getChildElements();
>>> while (usersIterator.hasNext())
>>> {
>>> MessageElement user = (MessageElement)usersIterator.next();
>>> if (user.getElementName().getLocalName().equals("User"))
>>> {
>>> rval.add(user.getAttribute("Sid"));
>>> }
>>> }
>>> }
>>> }
>>> }
>>> return rval;
>>> }
>>>
>>> <<<<<<
>>>
>>> So what happens there depends on what you've selected for the
>>> connection's "use Active Directory authority" selection. What have you
>>> chosen?
>>>
>>> Karl
>>>
>>> On Wed, Dec 28, 2016 at 5:35 AM, Cihad Guzel <[email protected]> wrote:
>>>
>>>> Hi Karl,
>>>>
>>>> 1- Yes, I selected Sharepoint 2013,
>>>> 2- Yes, I installed the plugin in my Sharepoint server.
>>>>
>>>> 2016-12-28 2:54 GMT+03:00 Karl Wright <[email protected]>:
>>>>
>>>>> Hi Cihad,
>>>>>
>>>>> Some questions:
>>>>> (1) Have you selected "SharePoint 2013" in your SharePoint connection?
>>>>> (2) Have you installed the ManifoldCF SharePoint 2013 plugin on your
>>>>> SharePoint server?
>>>>>
>>>>> You will need to do both of these in order for SharePoint 2013 ACLs to
>>>>> work right.
>>>>>
>>>>> Thanks,
>>>>> Karl
>>>>>
>>>>>
>>>>> On Tue, Dec 27, 2016 at 3:01 PM, Cihad Guzel <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am trying MFC with Sharepoint 2013. First, I install the sharepoint
>>>>>> plugin and then run my job. My files in sharepoint are indexed
>>>>>> successfully
>>>>>> to Solr. But I don't see the ACLs in solr index. You can see my sample
>>>>>> solr
>>>>>> data as follow:
>>>>>>
>>>>>> "filename":"Sample.doc",
>>>>>> "allow_token_document":["Authority+Group:"], "deny_token_document":[
>>>>>> "Authority+Group:DEAD_AUTHORITY"], "deny_token_parent":["__nosecu
>>>>>> rity__"], "allow_token_share":["__nosecurity__"], "allow_token_parent
>>>>>> ":["__nosecurity__"], "deny_token_share":["__nosecurity__"],
>>>>>>
>>>>>> I run Sharepoint connector with debug mode. I follow Manifoldcf log
>>>>>> but I don't see any error in it. I can see "getDocumentACLs xml
>>>>>> response:" in
>>>>>> the log as follow:
>>>>>>
>>>>>> <ns1:GetPermissionCollection ><ns1:Permissions>
>>>>>> ...
>>>>>> <ns1:Permission MemberID="3" Mask="-1" MemberIsUser="False"
>>>>>> MemberGlobal="True" GroupName="testsite Owners"/>
>>>>>> ...
>>>>>> </ns1:Permissions>
>>>>>> </ns1:GetPermissionCollection>
>>>>>>
>>>>>> How do I follow a way to solve the problem?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards
>>>>>> Cihad Güzel
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Teşekkürler
>>>> Cihad Güzel
>>>>
>>>
>>>
>>
>>
>> --
>> Teşekkürler
>> Cihad Güzel
>>
>
>
--
Teşekkürler
Cihad Güzel
