Identity Conversion Service

Introduction

In some cases, user names supplied via client service authentication (e.g. Windows sAMAccountName) may not have the same format as the users in the document ACLs (e.g. email address). As a result, the authorization does not work properly and users do not find their documents for which they would be authorized in principle. To correctly authorize these search hits, the user names must be converted.    

Configuration

Activate the plugin for each desired index in the Management Center Configuration:

• Go to the "Indices" tab and enable "Advanced Settings".
• Scroll down to the "Identity Conversion Services" section
• Select the "ReplacementConversion" plugin and click on "Add".
• Enter the path of the replacement CSV file in the "Path to replacement CSV" field.
• Select "LDAP Attribute" if instead of the user name an LDAP attribute e.g. UPN, DN or email address should be used for the regex rules in the CSV file. For the LDAP query the LDAP server hostname, username, password and domain are required.

CSV File Structure

The CSV file to be used for username replacement must have exactly two columns. The first column defines the RegEx rule (Java RegEx) for the username (or its LDAP attribute). If a rule matches the username, the username will be replaced with the value of the second column.

e.g. the following rule converts testlab\betra.brunner to betra.burnner@testlab

(.+*)\\(.+*);$1@$2

If there are multiple rules in the CSV file, all of them are compared with the user name. In this case the last matching rule will be applied.