German Version
Impressum
2018 Winter Release ►

Caching Principal Resolution Service

Installation and Configuration

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2018.

All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

Caching Principal Resolution Service (Active Directory LDAP)Permanent link for this heading

  1. Add a CachingLdapPrincipalResolution service under Services in the Indices tab.

  1. “LDAP Server Hostname“ should only be configured to overwrite the configuration of Preferred LDAP Server” under LDAP Settings” (in the “Network”  tab). The required login information “LDAP Credential” can be selected either directly here or in the “Network” tab under “Endpoints.”

  1. The Location can be configured as dns://<domain> (e.g. dns://mycompany.com) to use these credentials for multiple LDAP servers at the same time in one DNS domain. It is also possible to assign a credential directly to an LDAP server: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

  1. If no login information is configured, Kerberos is used. To do this, a valid keytab must first be uploaded under Linux and selected for this service under “Setup Kerberos Authentication.”

  1. In the Kerberos authentication case, the UPN (User Principal Name) attribute of the user from the LDAP directory is used as a key for cache search. If another authentication method is used, which would send the user’s e-mail address for instance, the corresponding LDAP attributes, in this case mail, should be configured as “Alias Name LDAP Attribute”.  In addition, the “Identity Alias Name Property” field should contain the property name provided by authentication. The attributes msDS-principalName” und userPrincipalName are automatically saved for all users because they are used by the client service during Kerberos authentication. Therefore, they should not be configured as user aliases. If only one domain is configured, the attribute sameaccountname” is also automatically added.

  1. If the ACLs are not normalized during indexing, i.e. they are not converted to DN format and they correspond, for example, to the “msDS-principalName“ attribute of a group in the active directory, then the “Group Alias Name LDAP Attribute“ should also be configured.

  1. If users have different alias names in multiple domains, aliases from certain domains can be deprioritized using “Deprioritize Alias Names From Domain. As a result, the principals in these domains are not added to the list of user principals.
  2. Using “Suppress ‘Everyone’ Principal For Domain“ and “Suppress ‘Authenticated Users‘ Principal For Domain“ prevents users from being treated as members of these groups.

  1. Specify the directory path for the cache in the “Database Directory Path“ field and change the Cache In Memory Items Size” if necessary, depending on the available memory capacity of the JVM. Specify the time (in minutes) to wait before the cache is refreshed in the “Cache Update Interval“ field. This time interval is ignored the first time the service is started. The next time the service is started, this time is taken into account. The settings “Health Check Interval“, “Health Check max. Retries On Failure“ and “Heath Check Request Timeout“ allow this service to be restarted if, for instance, there are persistent connection problems.
  2. The service is called up on the specified Webservice Port”.

  1. “Preserve Case for Principals Matching Pattern“ allows you to keep certain principals (defined by Regex pattern) in the original format (not lower case). “Exclude Principals Pattern“ allows you to remove certain principals for all users from their principals list. “Suppress Anonymous Users Principals“ makes it possible, for example, to suppress the “Everyone” principal for anonymous users, meaning anonymous users cannot even find public documents. “Resolve non anonymous principal to all registered users“ determines whether "normal" (non-anonymous) users belong to the group that contains all users. “Include Principals Rule“ allows you to add new principals for all users (if these users match a configured regex pattern). If a user's groups are not stored in the cache, selecting “Suppress LDAP Queries“ prevents LDAP queries from being made to find these groups.

  1. Finally, select this service in the crawler configuration under “Caching Principal Resolution Service”. See chapter 5.

Caching Principal Resolution Service (Novell LDAP)Permanent link for this heading

  1. Add a CachingNovellLdapPrincipalResolution service under Services in the Indices tab.

  1. LDAP Server Hostname” should only be configured to overwrite the configuration “Preferred LDAP Server” in the “LDAP Settings” in the “Network” tab. The required login information “LDAP Credential” can either be selected directly here or in the “Network” tab under “Endpoints.”

  1. The location for an LDAP server has this format: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

  1. The “Username” must be specified in DN format and the “Domain” field must be left blank.

  1. For further configuration parameters see: Caching Principal Resolution (Active Directory LDAP).

Caching Principal Resolution Service (SharePoint Principal Cache)Permanent link for this heading

  1. Add the SharePointPrincipalCache service under Services” in the Indices” tab. (MicrsoftSharePointConnector x.x.x.zip must first be installed in the tab “Plugins”).

  1. Specify the “SharePoint Server URL”. Configure the required login information in the Network tab under Endpoints. The “Include URL” and “Excluded Sites URL” fields should be the same as the crawler fields of the same name.

  1. In the “LDAP Persisted Cache Service Port” field, enter the previously configured “Web Service Port” of the LDAP Principal Resolution Service. In the SharePoint Crawler configuration, the option “Resolve SharePoint Groups” should not be selected.

  1. The option “SharePoint Site Groups Resolution Threads” configures the number of threads that find the SharePoint Site Groups of the sites at the same time. The “SharePoint Site Group Members Resolution And Inversion Threads” option specifies the number of threads that SharePoint Group members will find parallel to each other. The “Suppress External Service Calls” option prevents external services such as LDAP or SharePoint from being queried during the search if no SharePoint groups are found in the cache for a user. For further configuration parameters see: Caching Principal Resolution (Active Directory LDAP).

  1. It is possible to save the SharePoint groups of only certain specific sites by using the following parameters.
    • All Sites File: The path to a CSV file containing the site URLs that are to be crawled. If this field is empty, all sites are detected by the SiteDiscovery service.
    • Include Sites File: The path to a CSV file containing the site URLs that are to be crawled.
    • Exclude Sites File: The path to a CSV file containing the site URLs that should not be crawled.

  1. Finally, select this service in the crawler configuration under Caching Principal Resolution Service. See chapter 5.

Caching Principal Resolution Service (SharePoint ACL Reference Cache)Permanent link for this heading

  1. Add a “SharePointACLReferenceCache” service under “Services” in the “Indices” tab. (MicrsoftSharePointConnector x.x.x.zip must first be installed in the tab “Plugins”).

  1. Specify the “SharePoint Server URL”. Configure the required login information in the Network tab under Endpoints. “Include Sites File”, “Include URL”, “Excluded Sites URL”, “Exclude Sites With These Features”, and “Resolve SharePoint Groups” can only be selected if the port of “CachingLdapPrincipalResolution” service is entered in the “Parent Service Port.” The “Normalize ACLs” field should then be configured as in the crawler.

  1. In the “Parent Service Port” field, enter the previously configured “Web Service Port” of the “SharePoint Principal Cache” service. If "Resolve SharePoint Groups" is selected in the crawler, the LDAP Principal Resolution Service Port can be used here and the option "Resolve SharePoint Groups" must be selected.

  1. You can use the following parameters to save the SharePoint ACLs of only certain sites.
    • All Sites File: The path to a CSV file containing the site URLs that are to be crawled. If this field is empty, all sites are detected by the SiteDiscovery service.
    • Include Sites File: The path to a CSV file containing the site URLs that are to be crawled.
    • Exclude Sites File: The path to a CSV file containing the site URLs that should not be crawled.

  1. Finally, select this service in the crawler configuration under Caching Principal Resolution Service. See chapter 5.

Caching Principal Resolution Service (Confluence und Jive)Permanent link for this heading

  1. Add the CachingConfluencePrincipalResolutionService (ConfluenceAccess x.x.x.zip must first be installed in the tab “Plugins”).

  1. Specify the “Confluence Server URL”.

  1. The necessary credentials to access the “Confluence Server URL” must be configured in the “Network” tab and assigned to the “Confluence Server URL” endpoint. The “Suppress Confluence Service Calls” option allows you to suppress confluence service calls if a user cannot find any confluence groups in the cache.

  

  1. Finally, select this service in the crawler configuration under Caching Principal Resolution Service. See chapter 5.

Configuring the data sources for the Caching Principal Resolution Service.Permanent link for this heading

Select one of the configured caching principal resolution services in “Data Source”. For example, Caching LDAP Principal Resolution can be selected for a file system data source (in the screenshot FS Data Source”).

Principal Resolution Service REST APIPermanent link for this heading

URL

Description

http://localhost:23900/control?action=updatecache

Updates all containers.

http://localhost:23900/control?action=updatecache&container=<containerid>&isunifiedid=false

Updates <containerid> only.

http://localhost:23900/control?action=updatecache&partition=<partition>

Updates only one partition.

http://localhost:23900/control?action=updatecache&scope=full

Performs a complete update

http://localhost:23900/control?action=cancelupdate

Aborts a running update.

http://localhost:23900/control?action=checkconsistency&individualid=<userid>&isunifiedid=false

Checks if cached principals match <userid> with the principals provided by the source. If “all” is used instead of <userid>, the check is performed for all users.

http://localhost:23900/control?action=checkprincipals&individualid=<userid>&timeoutms=<milliseconds>

Returns principals with <userid> from the cache. <userid> should not be a unified ID.

http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&aliasnameattribute=<attribute>&aliasname=<aliasname>&timeoutms=<milliseconds>  

Returns principals with alias names. <aliasnameattribute> should be the configured  “Service Request Identity Alias Name Property.”

http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&isanonymous=true&timeoutms=<milliseconds>

Returns principals of anonymous users

http://localhost:23900/control?action=export&path=c:\export

Exports all database tables in CSV format.

http://localhost:23900/control?action=setcachemode&readonly=true

Sets the cache to read mode. Currently running updates are aborted. No further updates are started.

http://localhost:23900/control?action=setcachemode&readonly=false

Sets the cache to read/write mode. Updates are started as scheduled. The next update will resume, starting from the previous status.

http://localhost:23900/control?action=reopencache&path=c:\newcache

Reopens the cache in an empty directory. The cache should be updated after reopening.

http://localhost:23900/info?key=cachedir

Returns the currently used cache directory.

http://localhost:23900/info?key=cachemode

Returns the currently used mode (read-only/read/write).

http://localhost:23900/control?action=updateprincipalmembership&container=<container>&individuals=<individuals>

<individuals> List of individuals separated by ";" – e.g. user1; user2.

http://localhost:23900/control?action=printstacktraces

Outputs the current status of all threads.

http://localhost:23900/control?action=reset&aliasnames=true&partition=<partition>

Resets the alias names of a partition.

Download PDF

Download PDF