Home
Home
Support
Impressum
German Version
20.2 Release ►

    Main Navigation

    • Preparation
      • Connectors
      • Initial Startup for G6 appliances (before January 2018)
      • Initial Startup for G7 appliances
      • Setup InSpire G7 primary and Standby Appliances
    • Datasources
      • Configuration - Atlassian Confluence Connector
      • Configuration - Best Bets Connector
      • Configuration - Data Integration Connector
      • Configuration - Documentum Connector
      • Configuration - Dropbox Connector
      • Configuration - Egnyte Connector
      • Configuration - GitHub Connector
      • Configuration - Google Drive Connector
      • Configuration - Graph API for Azure AD
      • Configuration - GSA Adapter Service
      • Configuration - HL7 Connector
      • Configuration - IBM Connections Connector
      • Configuration - IBM Lotus Connector
      • Configuration - Jira Connector
      • Configuration - JiveSoftware Jive Connector
      • Configuration - JVM Launcher Service
      • Configuration - LDAP Connector
      • Configuration - Microsoft Dynamics CRM Connector
      • Configuration - Microsoft Exchange Connector
      • Configuration - Microsoft File Connector (Legacy)
      • Configuration - Microsoft File Connector
      • Configuration - Microsoft SharePoint Connector
      • Configuration - Salesforce Connector
      • Configuration - SAP KMC Connector
      • Configuration - SemanticWeb Connector
      • Configuration - ServiceNow Connector
      • Configuration - SharePoint Online Connector
      • Configuration - Web Connector
      • Data Integration Guide with SQL Database by Example
      • Indexing user-specific properties (Documentum)
      • Installation & Configuration - Atlassian Confluence Sitemap Generator Add-On
      • Installation & Configuration - Caching Principal Resolution Service
      • Installation & Configuration - Jive Sitemap Generator
      • Microsoft IIS Authentication API Proxy For Client Service (OAuth2)
      • Mindbreeze InSpire Search Apps in Microsoft SharePoint 2010
      • Mindbreeze InSpire Search Apps in Microsoft SharePoint 2013
      • Mindbreeze InSpire Search Apps in Microsoft SharePoint Online
      • Mindbreeze Web Parts for Microsoft SharePoint
      • User Defined Properties (SharePoint 2013 Connector)
    • Configuration
      • CAS_Authentication
      • Cognito JWT Authentification
      • Configuration - Alternative Search Suggestions and Automatic Search Expansion
      • Configuration - Back-End Credentials
      • Configuration - Chinese Tokenization Plugin (Jieba)
      • Configuration - CJK Tokenizer Plugin
      • Configuration - Collected Results
      • Configuration - Entity Recognition
      • Configuration - Exporting Results
      • Configuration - GSA Late Binding Authentication
      • Configuration - Index-Servlets
      • Configuration - Item Property Generator
      • Configuration - Japanese Language Tokenizer
      • Configuration - Kerberos Authentication
      • Configuration - Management Center Menu
      • Configuration - Metadata Enrichment
      • Configuration - Metadata Reference Builder Plugin
      • Configuration - Notifications
      • Configuration - Personalized Relevance
      • Configuration - Plugin Installation
      • Configuration - Principal Validation Plugin
      • Configuration - Profile
      • Configuration - Reporting Query Logs
      • Configuration - Reporting Query Performance Tests
      • Configuration - Request Header Session Authentication
      • Configuration - Vocabularies for Synonyms and Suggest
      • Configuration of Thumbnail Images
      • Cookie-Authentication
      • Documentation - Mindbreeze InSpire
      • Google Search Appliance Migration to Mindbreeze InSpire
      • I18n Item Transformation
      • Installation & Configuration - Outlook Add-In
      • Installation - GSA Base Configuration Package
      • Language detection - LanguageDetector Plugin
      • Mindbreeze Personalization
      • Mindbreeze Prediction Service Text Classification
      • Mindbreeze Property Expression Language
      • Mindbreeze Query Expression Transformation
      • Non-Inverted Metadata Item Transformer
      • SAML-based Authentication
      • Trusted Peer Authentication for Mindbreeze InSpire
    • Operations
      • app.telemetry Statistics Regarding Search Queries
      • Configuration Usage Analysis
      • Deletion of Hard Disks
      • Handbook - Backup & Restore
      • Handbook - Distributed Operation (G7)
      • Handbook - Synchronized Operation (G6)
      • Index Operating Concepts
      • Indexing and Search Logs
      • Inspire Diagnostics and Resource Monitoring
      • InSpire Support Documentation
      • Mindbreeze InSpire SFX Update
      • Provision of app.telemetry Information on G7 Appliances via SNMPv3
      • Restoring to As-Delivered Condition
    • User Manual
      • Cheat Sheet
      • iOS App
      • Keyboard Operation
    • SDK
      • api.v2.alertstrigger Interface Description
      • api.v2.export Interface Description
      • api.v2.personalization Interface Description
      • api.v2.search Interface Description
      • api.v2.suggest Interface Description
      • Debugging (Eclipse)
      • Developing an API V2 search request response transformer
      • Developing Item Transformation and Post Filter Plugins with the Mindbreeze SDK
      • Development of Search Apps
      • Java API Interface Description
    • Release Notes
      • Release Notes 20.1 Release - Mindbreeze InSpire
      • Release Notes 20.2 Release - Mindbreeze InSpire
      • Release Notes 2016 Fall - Mindbreeze InSpire
      • Release Notes 2016 Summer - Mindbreeze InSpire
      • Release Notes 2017 Summer - Mindbreeze InSpire
      • Release Notes 2017 Winter - Mindbreeze InSpire
      • Release Notes 2018 Spring - Mindbreeze InSpire
      • Release Notes 2018 Winter - Mindbreeze InSpire
      • Release Notes 2019 Fall - Mindbreeze InSpire
      • Release Notes 2019 Winter - Mindbreeze InSpire
    • Product Information
      • Product Information - Mindbreeze InSpire - Standby
      • Product Information - Mindbreeze InSpire
    Home

    Path

    Caching Principal Resolution Service

    Installation and Configuration

    Copyright ©

    Mindbreeze GmbH, A-4020 Linz, 2020.

    All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.

    These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

    For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

    Caching Principal Resolution Service (Active Directory LDAP)Permanent link for this heading

    1. Add a “CachingLdapPrincipalResolution” service under “Services” in the “Indices” tab.

    1. “LDAP Server Hostname“ should only be configured to overwrite the configuration of “Preferred LDAP Server” under “LDAP Settings” (in the “Network”  tab). The required login information “LDAP Credential” can be selected either directly here or in the “Network” tab under “Endpoints.”

    1. The Location can be configured as dns://<domain> (e.g. dns://mycompany.com) to use these credentials for multiple LDAP servers at the same time in one DNS domain. It is also possible to assign a credential directly to an LDAP server: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

    1. If no login information is configured, Kerberos is used. To do this, a valid keytab must first be uploaded under Linux and selected for this service under “Setup Kerberos Authentication.”

    1. In the Kerberos authentication case, the UPN (User Principal Name) attribute of the user from the LDAP directory is used as a key for cache search. If another authentication method is used, which would send the user’s e-mail address for instance, the corresponding LDAP attributes, in this case mail, should be configured as “Alias Name LDAP Attribute”.  In addition, the “Identity Alias Name Property” field should contain the property name provided by authentication. The attributes “msDS-principalName” und “userPrincipalName” are automatically saved for all users because they are used by the client service during Kerberos authentication. Therefore, they should not be configured as user aliases. If only one domain is configured, the attribute “sameaccountname” is also automatically added.

    1. If the ACLs are not normalized during indexing, i.e. they are not converted to DN format and they correspond, for example, to the “msDS-principalName“ attribute of a group in the active directory, then the “Group Alias Name LDAP Attribute“ should also be configured.

    1. If users have different alias names in multiple domains, aliases from certain domains can be deprioritized using “Deprioritize Alias Names From Domain.” As a result, the principals in these domains are not added to the list of user principals.
    2. Using “Suppress ‘Everyone’ Principal For Domain“ and “Suppress ‘Authenticated Users‘ Principal For Domain“ prevents users from being treated as members of these groups.

    If only certain groups or users are to be stored in the cache, the "Group Filters" or "User Filters" can be configured and used for this purpose. The filters must correspond to the LDAP filter syntax. The cache structure can be restricted to certain ActiveDirectory organizational units. Therefore it is necessary to configure the "Exclude Base DN" and "Include Base DN" options accordingly. The "Distinguished Name" of all users and groups is compared with the individual lines of the configured "Include Base DN" and "Exclude Base DN" to include or exclude the user or group. The "Exclude Base DN" option is applied first.

    1. Specify the directory path for the cache in the “Database Directory Path“ field and change the “Cache In Memory Items Size” if necessary, depending on the available memory capacity of the JVM. Specify the time (in minutes) to wait before the cache is refreshed in the “Cache Update Interval“ field. This time interval is ignored the first time the service is started. In order to clean the cache and rebuild it after a certain number of updates N, the number N can be configured in the „Clean Cache after each N updates“ field. If „Backup cache before cleaning“ is selected, the cache will be copied to /data/currentservice/<Service Name>/temp directory before cleaning. The settings “Health Check Interval“, “Health Check max. Retries On Failure“ and “Heath Check Request Timeout“ allow this service to be restarted if, for instance, there are persistent connection problems.
    2. The service is called up on the specified “Webservice Port”.





    3. By selecting the “Include Identity Principals” option, you can also search the cache for identity principals that are sent with the identity itself and find their group memberships. However,
    4. “Identity Alias Name Property” allows you to use properties located in the identity in order to use their value to search the cache for group memberships.



    5. “Preserve Case for Principals Matching Pattern“ allows you to keep certain principals (defined by Regex pattern) in the original format (not lower case).
    6. “Exclude Principals Pattern“ allows you to remove certain principals for all users from their principals list.
    7. “Suppress Anonymous Users Principals“ makes it possible, for example, to suppress the “Everyone” principal for anonymous users, meaning anonymous users cannot even find public documents.
    8. “Resolve non anonymous principal to all registered users“ determines whether "normal" (non-anonymous) users belong to the group that contains all users.

    "Include Principals Rule" allows you to add new principals for all users (if these users match a configured Regex pattern). It can also be used to create "pseudogroups", i.e. groups that implicitly contain all users. For example, with the "Pattern" .* (matches all) and the "Principal" myportal-users a pseudogroup myportal-users can be created. Each user is thus a member of the pseudogroup myportal-users.

    1. “Suppress LDAP Queries“ prevents LDAP queries from being made to find these groups.
    2. „Case Insensitive Member Resolution“ determines if principals are checked in a case-insensitive manner. (Default: active)
    3. The “Use Parent Principal Cache Service“ and “Parent Principal Cache Service Port” options enable the group membership resolution of the user in another cache (parent cache). This means that the groups resolved by the parent cache are also returned as group membership.

    1. Finally, select this service in the crawler configuration under “Caching Principal Resolution Service”. See chapter 5.

    Caching Principal Resolution Service (Novell LDAP)Permanent link for this heading

    1. Add a “CachingNovellLdapPrincipalResolution” service under “Services” in the “Indices” tab.

    1. “LDAP Server Hostname” should only be configured to overwrite the configuration “Preferred LDAP Server” in the “LDAP Settings” in the “Network” tab. The required login information “LDAP Credential” can either be selected directly here or in the “Network” tab under “Endpoints.”

    1. The location for an LDAP server has this format: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

    1. The “Username” must be specified in DN format and the “Domain” field must be left blank.

    1. For further configuration parameters see: Caching Principal Resolution (Active Directory LDAP).

    Configuring the data sources for the Caching Principal Resolution Service.Permanent link for this heading

    Select one of the configured caching principal resolution services in “Data Source”. For example, Caching LDAP Principal Resolution can be selected for a file system data source (in the screenshot “FS Data Source”).

    Principal Resolution Service REST APIPermanent link for this heading

    URL

    Description

    http://localhost:23900/control?action=updatecache

    Updates all containers.

    http://localhost:23900/control?action=updatecache&container=<containerid>&isunifiedid=false

    Updates <containerid> only.

    http://localhost:23900/control?action=updatecache&partition=<partition>

    Updates only one partition.

    http://localhost:23900/control?action=updatecache&scope=full

    Performs a complete update

    http://localhost:23900/control?action=cancelupdate

    Aborts a running update.

    http://localhost:23900/control?action=checkconsistency&individualid=<userid>&isunifiedid=false

    Checks if cached principals match <userid> with the principals provided by the source. If “all” is used instead of <userid>, the check is performed for all users.

    http://localhost:23900/control?action=checkprincipals&individualid=<userid>&timeoutms=<milliseconds>

    Returns principals with <userid> from the cache. <userid> should not be a unified ID.

    http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&aliasnameattribute=<attribute>&aliasname=<aliasname>&timeoutms=<milliseconds>  

    Returns principals with alias names. <aliasnameattribute> should be the configured  “Service Request Identity Alias Name Property.”

    http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&isanonymous=true&timeoutms=<milliseconds>

    Returns principals of anonymous users

    http://localhost:23900/control?action=export&path=c:\export

    Exports all database tables in CSV format.

    http://localhost:23900/control?action=setcachemode&readonly=true

    Sets the cache to read mode. Currently running updates are aborted. No further updates are started.

    http://localhost:23900/control?action=setcachemode&readonly=false

    Sets the cache to read/write mode. Updates are started as scheduled. The next update will resume, starting from the previous status.

    http://localhost:23900/control?action=reopencache&path=c:\newcache

    Reopens the cache in an empty directory. The cache should be updated after reopening.

    http://localhost:23900/info?key=cachedir

    Returns the currently used cache directory.

    http://localhost:23900/info?key=cachemode

    Returns the currently used mode (read-only/read/write).

    http://localhost:23900/control?action=updateprincipalmembership&container=<container>&individuals=<individuals>

    <individuals> List of individuals separated by ";" – e.g. user1; user2.

    http://localhost:23900/control?action=printstacktraces

    Outputs the current status of all threads.

    http://localhost:23900/control?action=reset&aliasnames=true&partition=<partition>

    Resets the alias names of a partition.

    Download PDF

    • Installation & Configuration - Caching Principal Resolution Service

    Content

    • Caching Principal Resolution Service (Active Directory LDAP)
    • Caching Principal Resolution Service (Novell LDAP)
    • Configuring the data sources for the Caching Principal Resolution Service.
    • Principal Resolution Service REST API

    Download PDF

    • Installation & Configuration - Caching Principal Resolution Service