Sure, you can handle it. But should you?
Let our experts manage the tech maintenance while you focus on your business.
Let our experts manage the tech maintenance while you focus on your business.
LDAP Connector
Installation and Configuration
Copyright ©
Mindbreeze GmbH, A-4020 Linz, .
All rights reserved. All hardware and software names used are registered trade names and/or registered trademarks of the respective manufacturers.
These documents are highly confidential. No rights to our software or our professional services, or results of our professional services, or other protected rights can be based on the handing over and presentation of these documents.
Distribution, publication or duplication is not permitted.
The term ‘user‘ is used in a gender-neutral sense throughout the document.
Preparation
This chapter describes how to prepare the rights for the crawler.
Required Crawling user rights
The LDAP Connector allows the crawling and searching for objects in an LDAP directory, such as Microsoft Active Directory or Novell eDirectory.
To be able to crawl these objects, the crawling user needs read rights.
Configuration of Mindbreeze
Click on “Indices” and on the “Add new index” icon to create a new index.
Enter a new index path, for example, “/data/indices/ldap”. If necessary change the display name of the index service and the associated filter Services.
With “Add new custom source” at the bottom right, a new data source can be added. 
Configuration of the Data Source
LDAP Connection
Folgende Parameter müssen konfiguriert werden:
- LDAP Server Hostname:
- Port: Default LDAP Port (389)
- Authentication Type:
- Simple: (Default) The specification of the username and password is required.
- Anonymous: No user data necessary
- Username: Benutzername im Distinguished Name Format (CN=…).
- Passwort:
- Connection Method:
- Standard: (Default)
- SSL:
- LDAP Search Base: Defines the base LDAP container of the data that should be crawled in the Active Directory. E.g. DC=mycompany,DC=com
- Search Filter: Defines which objects to be crawled. E.g. (&(objectClass=organizationalPerson)(!(objectClass=computer)))
- Update Sensitive Attributes: Only changes in these attributes are tracked by crawler. All other attributes changes does not lead to recrawling of the LDAP object.
Performance Settings
Initial synchronization allows us to re-index documents which could not be indexed correctly in previous crawling runs. For example because of transport errors or filtering errors.
Caching Principal Resolution Service
When configuring a cache for a Principal Resolution Service, Microsoft Active Directory and Novell eDirectory are supported. The following chapters demonstrate how to perform the configurations in both cases.
Microsoft Active Directory
When using data sources like Microsoft Exchange and Microsoft File, the management of groups and logins is done by Microsoft Active Directory. In the new or existing service, select the CachingLdapPrincipalResolution option in the Service setting. For more information about additional configuration options and how to create a cache and how to do the basic configuration of a cache for a Principal Resolution Service, see Installation & Configuration - Caching Principal Resolution Service.
The following chapters demonstrate the configuration of the cache. Here, a distinction is made between authentification with Kerberos or with a user name and password.
Authentification with Kerberos
If a Kerberos authentication is required, the following requirements must be met:
- Valid keytab file (only required when using Linux)
To create a keytab file, see the chapter Configuration - Kerberos Authentication - General.
If this requirement is met, the Kerberos authentication can begin:
- If Linux is used, a valid keytab file must be uploaded to the “Authentification” tab in the “Configure Kerberos Authentication” section and be selected for this service in “Setup Kerberos Authentication”. If Windows is used, a keytab file is not required for Kerberos.
- In the case of Kerberos authentication, the UPN (= User Principal Name) attribute of the user from the LDAP directory is used as a key for the search in the cache. If a different authentication method is used, the corresponding LDAP attribute should be configured. For example, if the email address of the user is used for authentication, it should be configured as “mail” in the "User Alias Name LDAP Attribute" in the "Indices" tab in the section "LDAP Server Settings".
- Once Kerberos has been configured for authentication, you can configure the cache for the principal resolution service. See the list of settings in the following chapter.
Authentification with user name and password
The following information must be known to enable the cache to be configured without problems:
- Active Directory server name
- Port used
- Encryption used
- User account with read rights to users and groups
- Credential created to be connected with the service
Once this information is known, the configuration can begin.
Configuration
The configuration of the cache starts by creating and configuring the LDAP server and the credentials in the Network tab. If additional settings such as Domain Name, Connection Encryption or Endpoint are required, these are also to be defined in the Network tab.
The following options marked with a star, must be configured so that the cache can work and be built. All additional options must be configured depending on the use case.
Network tab | ||
LDAP Settings | ||
Domain Name* | Defines the domain to be used. Should be configured if there are multiple domains of an Active Directory Forests or other Active Directory Forests (Trusted Domain Foreign Security Principals). This will maintain the groups and users in the cache. In addition, the associated Credentials and Endpoints should be configured. | Example: domain1.company.com |
LDAP Server | Defines the LDAP server to be used. | Example: ldapserver.mycompany.com |
Disable LDAP Server Discovery | Only the configured servers are used for LDAP queries. | Default setting: Deactivated |
Excluded Domain | Defines domains that are not queried. | Example: domain2.company.com |
Query Timeout (ms) | Defines the maximum time the connector can query the LDAP server for results before this is considered a timeout error. The time interval starts when a successful connection has been established. | Default setting: 360000 |
Connection Encryption | Defines the type of encryption. |
|
Enable Connection Pool Manager | By reusing connections the performance is increased. | Default setting: Deactivated |
Maximum Connections | Defines the maximum number of connections to the LDAP server that are established for LDAP queries. The connections are established when a service is started and can be used simultaneously. A query is blocked if all connections are occupied at that time. | Default setting: 10 |
Maximum Shared Connections | Defines the maximum number of threads that can share a connection. | Default setting: 1 |
Connection Timeout (ms) | Defines the maximum time the connector can wait for a connection to the LDAP server before this is considered a timeout error. This applies when establishing the initial connection. | Default setting: 5000 |
* = These settings must be configured so that the cache works and is built. All other settings must be configured according to the application. | ||
Endpoints | ||
Location* | Shall be configured when this credential is used for multiple LDAP servers in a DNS domain simultaneously. It is also possible to assign a credential directly to an LDAP server. | Example: dns://mycompany.com ldap://<ldapserver hostname> |
Credential* | Defines the credential to be used in this endpoint. | Example: LDAP Credential |
* = These settings must be configured so that the cache works and is built. | ||
Indices tab | ||
AD LDAP PrincipalResolution Service | ||
Display Name* | The name for the service or for the cache. | Example: Microsoft Active Directory Principal Resolution Service |
Service* | The Principal Resolution Service according to the used data source. | CachingLdapPrincipalResolution |
* = These settings must be configured so that the cache works and is built. | ||
LDAP Server Settings | ||
LDAP Server Hostname | Defines the LDAP server to be used. If this option is configured, the option LDAP Credential must also be configured. Attention: Overwrites the option LDAP Server in the Network tab. | Example: ldapserver.mycompany.com |
LDAP Credential | The credential to be used. Created in the Network tab under Credentials, and can be selected in Endpoints or in the created cache. If this option is configured, the option LDAP Server Hostname must also be configured. Hint: When selecting a credential, make sure that the related user has the required read permissions to access all group memberships. | Example: MS AD PRS Credential |
LDAP Connection Encryption | Defines the type of encryption. Attention: Overwrites the option Connection Encryption in the Network tab. |
|
User Alias Name LDAP Attribute | Defines the attribute to be used as an alias for a user. | Example: |
Group Alias Name LDAP Attribute | Defines the attribute to be used as an alias for a group. Shall be configured if the ACLs have not been normalised during indexing (= no conversion to DN format) and they correspond to e.g. the "msDS-principalName" attribute of a group in Active Directory. | Example: msDS-principalName |
Deprioritize Alias Names From Domain | Shall be configured when users have different aliases in multiple domains and aliases from certain domains are to be deprioritised. This will not add the principals from those domains to the user principals. | Example: domain2.com |
Suppress ‚Everyone‘ Principal For Domain | Should be configured if users are no longer to be treated as members of the "Everyone" group. | Example: domain2.com |
Suppress ‚Authenticated Users‘ Principal For Domain | Should be configured if users are no longer to be treated as members of the „Authenticated Users“ group. | Example: domain2.com |
Include Base DN (Advanced Setting) | Should be configured if the setup of the cache is to include certain users or groups. The Distinguished Name (DN) is compared with the entered lines. The lines must be defined in DN syntax and each line should represent a separate "Base DN". Attention: "Exclude Base DN" is applied before "Include Base DN". Also, the existing cache should be cleared before adjusting this option. | Example: # OU=my org,DC=my company,DC=com |
Exclude Base DN (Advanced Setting) | Should be configured if the setup of the cache is to exclude certain users or groups. The Distinguished Name (DN) is compared with the entered lines. The lines must be defined in DN syntax and each line should represent a separate "Base DN". Attention: "Exclude Base DN" is applied before "Include Base DN". Also, the existing cache should be cleared before adjusting this option. | Example: # OU=other org,DC=my company,DC=com |
Group Filter | This option configures which specific groups are cached. The definition of the filters must comply with the LDAP filter syntax. Can be split over several lines. Attention: The existing cache should be cleared before adjusting this option. | Example: # (&(city=mycity)(company=mycompany)) |
User Filter | This option configures which specific users are cached. The definition of the filters must comply with the LDAP filter syntax. Can be split over several lines. Attention: The existing cache should be cleared before adjusting this option. | Example: # company=mycompany |
Include Identity Principals | If this option is activated, you can search for identity principals that are sent with the identity itself in the cache. „Identity" refers to the object that the client service creates after authentication. | Default setting: Deactivated |
Foreign Security Principal Domains | This option configures that an optimised resolution of the Foreign Security Principals, which are users or groups from "trusted" domains, is enabled. In doing so, all Foreign Security Principals (FSP) of a domain are resolved at the start and cached until the next update. If this field is empty, FSPs are resolved individually, which in extreme cases can lead to performance problems (e.g. timeouts). Such an extreme case would be, for example, a large number of FSPs. All domains configured here should also be configured in the Network tab in the section LDAP Settings. | Example: The initial situation is that users or groups from domain1.com have been added to some groups from domain2.com. Therefore, only domain1.com should be configured in this option. |
Include Principals Rule | This option allows you to add new principals for all users. The users must correspond to a configured regex pattern. This also allows the creation of "pseudo groups", therefore groups that implicitly contain all users. | Example: With the pattern: ".*" ("dot and asterisk" = match everything) and the principal "myportal-users", a pseudo group called myportal-users can be created. Each user is then a member of the pseudo group myportal-users. |
Cache Update Settings | ||
Incremental Cache Update Interval (Minutes) | This setting determines (in minutes) when the cache should be updated. Is the value less than or equal to 0, the cache update is deactivated. When the service is started, the last (persisted) cache update time is considered. This means that for example the cache is not necessarily updated when the service is stopped or started, but only at the next time interval. | Default setting: 60 |
Service Settings | ||
Service Request Identity Alias Name Property | This setting enables to use properties of the identity to search for principals in the cache. The property name supplied by the authentication should be entered. This setting is used, for example, in SAML authentication to specify a property of the identity as username. Attention: The attributes "msDS-principalName" and "userPrincipalName" are automatically stored for all users because they are used by the client service during Kerberos authentication. Therefore, these should not be configured as the user alias name. If only one domain is configured, the attribute "samaccountname" is also added automatically. | Example: |
Suppress LDAP Queries | This setting prevents external services such as LDAP from being able to query which user groups are not in the cache during the search. | Default setting: Activated |
Novell eDirectory Service
Configuration
This chapter explains how to configure a cache for a principal resolution service, using the Novell eDirectory service.
The cache configuration starts by creating and configuring the credential to be used in the Network tab. If an endpoint is required, this is also to be defined in the Network tab.
In the new or existing service, select the CachingNovellLdapPrincipalResolution option in the Service setting. For more information about additional configuration options and how to create a cache and how to do the basic configuration of a cache for a Principal Resolution Service, see Installation & Configuration - Caching Principal Resolution Service.
The following options marked with a star, must be configured so that the cache can work and be built. All additional options must be configured depending on the use case.
„Network“ tab | ||
Credentials | ||
Name* | The name of the Credential. | Example: MS NeD PRS Credential |
Type* | Defines the type of the Credential. | Username/Password |
Username* | Defines the user name and must be defined in DN format. | Example: cn=admin,o=mycompany |
Domain | Defines the domain to be used. | Example: domain2.com |
Password* | Defines the password of the credential. | Example: Passwort123 |
* = These settings must be configured so that the cache works and is built. All other settings must be configured according to the application. | ||
Endpoints | ||
Location | Shall be configured when this credential is used for multiple LDAP servers in a DNS domain simultaneously. It is also possible to assign a credential directly to an LDAP server. | Example: ldap://ldapserver.mycompany.com |
Credential | Defines the credential to be used in this endpoint. | Example: MS NeD PRS Credential |
Indices tab | ||
AD LDAP PrincipalResolution Service | ||
Display Name* | The name for the service or for the cache. | Example: Novell eDirectory Principal Resolution Service |
Service* | The Principal Resolution Service according to the used data source. | CachingNovellLdapPrincipalResolution |
* = These settings must be configured so that the cache works and is built. | ||
LDAP Server Settings | ||
LDAP Server Hostname | Defines the LDAP server to be used. If this option is configured, the option LDAP Credential must also be configured. Attention: Overwrites the option LDAP Server in the Network tab. | Example: ldapserver.mycompany.com |
LDAP Credential | The credential to be used. Created in the Network tab under Credentials, and can be selected in Endpoints or in the created cache. If this option is configured, the option LDAP Server Hostname must also be configured. | Example: MS NeD PRS Credential |
Cache Update Settings | ||
Incremental Cache Update Interval (Minutes) | This setting determines (in minutes) when the cache should be updated. Is the value less than or equal to 0, the cache update is deactivated. When the service is started, the last (persisted) cache update time is considered. This means that for example the cache is not necessarily updated when the service is stopped or started, but only at the next time interval. | Default setting: 60 |
Service Settings | ||
Service Request Identity Alias Name Property | This setting enables to use properties of the identity to search for principals in the cache. The property name supplied by the authentication should be entered. This setting is used, for example, in SAML authentication to specify a property of the identity as username. Attention: The attributes "msDS-principalName" and "userPrincipalName" are automatically stored for all users because they are used by the client service during Kerberos authentication. Therefore, these should not be configured as the user alias name. If only one domain is configured, the attribute "samaccountname" is also added automatically. | Example: |
Suppress LDAP Queries | This setting prevents external services such as LDAP from being able to query which user groups are not in the cache during the search. | Default setting: Activated |
For more configuration parameters, see the list of settings in the chapter Configuration - LDAP Connector - Authentification with username and password.