Uploaded image for project: 'ManifoldCF'
  1. ManifoldCF
  2. CONNECTORS-460

ManifoldCF authority service doesn't handle multi-domain environments

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • ManifoldCF 0.1, ManifoldCF 0.2, ManifoldCF 0.3, ManifoldCF 0.4, ManifoldCF 0.5, ManifoldCF 0.6
    • ManifoldCF 0.6
    • Two Active Directory domains: internal.com and external.com

      I'm indexing a Sharepoint site, where that site has permissions set from_both_domains

    Description

      The ManifoldCF authority service doesn't handle multi-domain environments.

      The authority service returns a list of SIDs for the specified user, from all available ManifoldCF authorities, for example:

      TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234

      Note that the SID is prefixed with the name of the ManifoldCF authority.

      Here is my setup:

      Output connector: Solr
      Authority connector1: Active Directory (internal.com domain), named InternalAD
      Authority connector2: Active Directory (external.com domain), named ExternalAD
      Repository connector: Sharepoint

      If I set the Sharepoint repository connector to use the authority 'None (Global Authority)', then allow_token_document will contain SIDs that are not prefixed with any authority name, for example:

      S-1-5-21-1234567890-1234567890-1234567890-1234

      It is therefore not possible to get any search results, because the authority service tokens will not match the stored tokens (because they are prefixed with authority names).

      If I set the Sharepoint repository connector to use one of the AD authorities 'InternalAD', then allow_token_document will contain SIDs that are prefixed with 'InternalAD', for example:

      TOKEN:InternalAD:S-1-5-21-1234567890-1234567890-1234567890-1234

      However, the prefix is always 'InternalAD', even if the user/group actually belongs to the external.com domain. Therefore it is not possible for users in the external.com domain to get any search results, because the authority service tokens will not match the stored tokens.

      In essence, there seems to be a mismatch between the tokens that the authority service outputs, and those that repository connectors output.

      Perhaps one solution would be to use the authority 'None (Global Authority)', and modify the authority service to take an extra query parameter that prevents it from prefixing SIDs with the authority name.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            kwright@metacarta.com Karl Wright
            cocowalla Colin Anderson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment