Caching Principal Resolution Service

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2017.

All rights reserved. All hardware and software names used are registered trade names and/or registered trademarks of the respective manufacturers.

These documents are highly confidential. No rights to our software or our professional services, or results of our professional services, or other protected rights can be based on the handing over and presentation of these documents.

Distribution, publication or duplication is not permitted.

The term “user” is used in a gender-neutral sense throughout the document.

Caching Principal Resolution Service (LDAP)Permanent link for this heading

  1. Add CachingLdapPrincipalResolution service in Services section of Indices tab.

  1. Provide “LDAP Server Hostname and select needed LDAP Credential for accessing LDAP server. Credentials should be configured in Network tab.
  2. Kerberos authentication uses the UPN (User Principal Name) attribute of the User Object from the LDAP-directory as key for querying the Cache. If another form of authentication is used you have to configure the alias attribute. If for example the email-address of the user is used, you have to add attribute name “mail” as “Alias Name LDAP Attribute”. Additionally you have to add the property name provided by the authentication mechanism to the field “Identity Alias Name Property”. The attributes “msDS-principalName” and “userPrincipalName” are automatically added as alias attribute and should not be configured manually. If only one domain has been configured the attribute “samaccountname” is added automatically as well.

  1. If the document ACLs during crawling are not normalized (for example if they are msDs-princiaplName attribute of groups), then it is necessary that the user principals also contain the principals in that format in order to grant them access to these documents.

  1. If a user has different alias names in different domains, it is possible to deprioritize some domains by configuring “Prioritize Alias Names From Domain”. So the user will not have principals from the deprioritized domains. “Suppress ‘Everyone’ Principal for Domain” and “Suppress ‘Authenticated Users’ for Domain” allow removing ‘Everyone’ and ‘Authenticated Users’ principals from user principals list of users of a specified domain.

  1. Provide “Database Directory Path” for cache and If necessary change “Cache In Memory Items Size” according to available memory of JVM. The provided time interval (minutes) in “Cache Update Interval” field will be ignored in first start of the service. The subsequent starts will consider this time interval and the cache update will be postponed until this time interval is completed. The settings “Health Check Interval”, “Health Check max. Retries on Failure” and “Health Check Request Timeout” can be configured to restart the Service in cases of persisting connection Problems.

5.  The service is called by query service on “Webservice Port”.  

Preserve Case for Principals Matching Pattern” preserves the original casing for some specific (defined by regex pattern) principals. “Exclude Principals Pattern” enables removing some specific principals (defined by regex pattern) from all users’ principals. “Suppress Anonymous Users Principals” makes it possible that anonymous users cannot find documents (even public ones). “Include Principal Rules” makes it possible to add new principals to a user if this user has some specific (defined by regex pattern) principals already. If the groups of a user are not cached yet and “Suppress LDAP Queries” is enabled, the LDAP cache will not contact the data source to resolve these groups.

Caching Principal Resolution Service (SharePoint)Permanent link for this heading

  1. Add SharePointPrincipalCache service in Services section of Indices tab (MicrosoftSharePointConnector-x.x.x.zip must be installed already in Plugins tab)

  1. Provide “SharePoint Server URL”. Provide needed credentials in Network tab Endpoints section.

  1. Add “LDAP Persisted Cache Service Port”, which is the “Webservice Port” of LDAP Caching Principal Resolution Service.

  1. The option “SharePoint Site Groups Resolution Threads” determines the number of threads that are working on finding the SharePoint groups. The option “SharePoint Site Group Members Resolution And Inversion Threads” determines the number of threads that are working on resolving the SharePoint group members. The option “Supress External Service Calls” prevents the querying of external data sources for example LDAP or SharePoint If groups are not found in the cache. For configuring other parameters see Caching Principal Resolution (LDAP) above.

Caching Principal Resolution Service (Confluence and Jive)Permanent link for this heading

  1. Add CachingConfluencePrincipalResolutionService in Services section of Indices tab (ConfluenceAccess-x.x.x.zip must be installed first in plugins tab)

  1. Provide “Confluence Server URL”. tab.

  1. The necessary credentials to access “Confluence Server URL” should be configured in Network tab and mapped to “Confluence Server URL” endpoint. The option “Suppress Confluence Service Calls” prevents calls to the Confluence service if no groups are found for a user in the cache.

For configuring other parameters see Caching Principal Resolution (LDAP) above.

Configuration of Caching Principal Resolution Service in Data Sources.Permanent link for this heading

Select one of the configured Caching Principal Resolution Service in Data Source configuration. For example, Caching LDAP Principal Resolution can be selected for Filesystem Data Source.

Principal Resolution Service REST APIPermanent link for this heading

URL

Description

http://localhost:23900/control?action=updatecache

Updates all containers.

http://localhost:23900/control?action=updatecache&container=<containerid>&isunifiedid=false

Updates only <containerid>

http://localhost:23900/control?action=updatecache&partition=<partition>

Updates only a partition

http://localhost:23900/control?action=cancelupdate

Cancels previous update.

http://localhost:23900/control?action=checkconsistency&individualid=<userid>&isunifiedid=false

Verifies if cached principals for <userid> are the same as provided by the source (confluence or LDAP for example). If “all” is used instead of <userid> the verification is done for all users.

http://localhost:23900/control?action=checkprincipals&individualid=<userid>&timeoutms=<milliseconds>

Returns principals for <userid> from cache. <userid> should not be a unified id.

http://localhost:23900/control?action=checkprincipals&individualid=”anystring”&isanonymous=true&timeoutms=<milliseconds>

Returns principals for anymous user

http://localhost:23900/control?action=checkprincipals&individualid=”anystring”&aliasnameattribute=<attribute>&aliasname=<aliasname>&timeoutms=<milliseconds>

<attribute> must be the configured ‚Service Request Identity Alias Name Property’

http://localhost:23900/control?action=export&path=c:\export

Exports all data base tables in CSV format.

http://localhost:23900/control?action=setcachemode&readonly=true

Sets the cache in read-only mode. Running update task will be cancelled. No further update tasks will be started.

http://localhost:23900/control?action=setcachemode&readonly=false

Sets the cache in read/write mode. Update tasks will start as scheduled. The next update task will resume from previous state.

http://localhost:23900/control?action=reopencache&path=c:\newcache

Reopens cache in an empty directory. Cache should be updated after reopening

http://localhost:23900/info?key=cachedir

Returns the currently used cache directory.

http://localhost:23900/info?key=cachemode

Returns the current mode (read-only, or read/write)

http://localhost:23900/control?action=updateprincipalmembership&container=<container>&individuals=<individuals>

Individuals must be separated by ;

http://localhost:23900/control?action=printstacktrace

Prints all threads current state.

http://localhost:23900/control?action=reset&aliasnames=true&partition=<partition>

Resets alias names for a partition