Caching Principal Resolution Service

Caching Principal Resolution Service (LDAP)

1. Add CachingLdapPrincipalResolution service in Services section of Indices tab.

1. “LDAP Server Hostname” should only be configured to override the “Preferred LDAP Server” Setting in the “Network” tab. Credentials should also be configured in Network tab.
2. 

The “Location” can configured as dns://<domain> (z.B dns://mycompany.com) to use the credentials for multiple LDAP servers in a Domain. It is also possible to assign a credential directly to an LDAP-Server: ldap://<ldapserver hostname> (z.B. ldap://ldapserver.mycompany.com).

1. If no credentials are configured the service will use Kerberos authentication. On Linux platforms it is required to upload a valid Keytab and select it for the service.

1. Kerberos authentication uses the UPN (User Principal Name) attribute of the User Object from the LDAP-directory as key for querying the Cache. If another form of authentication is used you have to configure the alias attribute. If for example the email-address of the user is used, you have to add attribute name “mail” as “Alias Name LDAP Attribute”. Additionally you have to add the property name provided by the authentication mechanism to the field “Identity Alias Name Property”. The attributes “msDS-principalName” and “userPrincipalName” are automatically added as alias attribute and should not be configured manually. If only one domain has been configured the attribute “samaccountname” is added automatically as well.

1. If the document ACLs during crawling are not normalized (for example if they are msDs-princiaplName attribute of groups), then it is necessary that the user principals also contain the principals in that format in order to grant them access to these documents.

1. If a user has different alias names in different domains, it is possible to deprioritize some domains by configuring “Prioritize Alias Names From Domain”. So the user will not have principals from the deprioritized domains. “Suppress ‘Everyone’ Principal for Domain” and “Suppress ‘Authenticated Users’ for Domain” allow removing ‘Everyone’ and ‘Authenticated Users’ principals from user principals list of users of a specified domain.

1. Provide “Database Directory Path” for cache and If necessary change “Cache In Memory Items Size” according to available memory of JVM. The provided time interval (minutes) in “Cache Update Interval” field will be ignored in first start of the service. The subsequent starts will consider this time interval and the cache update will be postponed until this time interval is completed. The settings “Health Check Interval”, “Health Check max. Retries on Failure” and “Health Check Request Timeout” can be configured to restart the Service in cases of persisting connection Problems.

5.  The service is called by query service on “Webservice Port”.  

“Preserve Case for Principals Matching Pattern” preserves the original casing for some specific (defined by regex pattern) principals. “Exclude Principals Pattern” enables removing some specific principals (defined by regex pattern) from all users’ principals. “Suppress Anonymous Users Principals” makes it possible that anonymous users cannot find documents (even public ones). “Resolve non anonymous principals to all registered users” determines if every user (non-anonymous) is a member of the all-users group. “Include Principal Rules” makes it possible to add new principals to a user if this user has some specific (defined by regex pattern) principals already. If the groups of a user are not cached yet and “Suppress LDAP Queries” is enabled, the LDAP cache will not contact the data source to resolve these groups.

Caching Principal Resolution Service (SharePoint)

1. Add SharePointPrincipalCache service in Services section of Indices tab (MicrosoftSharePointConnector-x.x.x.zip must be installed already in Plugins tab)

1. Provide “SharePoint Server URL”. Provide needed credentials in Network tab Endpoints section.

1. Add “LDAP Persisted Cache Service Port”, which is the “Webservice Port” of LDAP Caching Principal Resolution Service.

1. The option “SharePoint Site Groups Resolution Threads” determines the number of threads that are working on finding the SharePoint groups. The option “SharePoint Site Group Members Resolution And Inversion Threads” determines the number of threads that are working on resolving the SharePoint group members. The option “Supress External Service Calls” prevents the querying of external data sources for example LDAP or SharePoint If groups are not found in the cache. For configuring other parameters see Caching Principal Resolution (LDAP) above.

Caching Principal Resolution Service (Confluence and Jive)

1. Add CachingConfluencePrincipalResolutionService in Services section of Indices tab (ConfluenceAccess-x.x.x.zip must be installed first in plugins tab)

1. Provide “Confluence Server URL”. tab.

1. The necessary credentials to access “Confluence Server URL” should be configured in Network tab and mapped to “Confluence Server URL” endpoint. The option “Suppress Confluence Service Calls” prevents calls to the Confluence service if no groups are found for a user in the cache.

For configuring other parameters see Caching Principal Resolution (LDAP) above.

Configuration of Caching Principal Resolution Service in Data Sources.

Select one of the configured Caching Principal Resolution Service in Data Source configuration. For example, Caching LDAP Principal Resolution can be selected for Filesystem Data Source.

Principal Resolution Service REST API