Home
Home
German Version
Support
Impressum
23.6 Release ►

    Main Navigation

    • Preparation
      • Connectors
      • Create an InSpire VM on Hyper-V
      • Initial Startup for G7 appliances
      • Setup InSpire G7 primary and Standby Appliances
    • Datasources
      • Configuration - Atlassian Confluence Connector
      • Configuration - Best Bets Connector
      • Configuration - Box Connector
      • Configuration - COYO Connector
      • Configuration - Data Integration Connector
      • Configuration - Documentum Connector
      • Configuration - Dropbox Connector
      • Configuration - Egnyte Connector
      • Configuration - GitHub Connector
      • Configuration - Google Drive Connector
      • Configuration - GSA Adapter Service
      • Configuration - HL7 Connector
      • Configuration - IBM Connections Connector
      • Configuration - IBM Lotus Connector
      • Configuration - Jira Connector
      • Configuration - JiveSoftware Jive Connector
      • Configuration - JVM Launcher Service
      • Configuration - LDAP Connector
      • Configuration - Microsoft Azure Principal Resolution Service
      • Configuration - Microsoft Dynamics CRM Connector
      • Configuration - Microsoft Exchange Connector
      • Configuration - Microsoft File Connector (Legacy)
      • Configuration - Microsoft File Connector
      • Configuration - Microsoft Graph Connector
      • Configuration - Microsoft Project Connector
      • Configuration - Microsoft SharePoint Connector
      • Configuration - Microsoft SharePoint Online Connector
      • Configuration - Microsoft Stream Connector
      • Configuration - Microsoft Teams Connector
      • Configuration - Salesforce Connector
      • Configuration - SemanticWeb Connector
      • Configuration - ServiceNow Connector
      • Configuration - Web Connector
      • Configuration - Yammer Connector
      • Data Integration Guide with SQL Database by Example
      • Indexing user-specific properties (Documentum)
      • Installation & Configuration - Atlassian Confluence Sitemap Generator Add-On
      • Installation & Configuration - Caching Principal Resolution Service
      • Installation & Configuration - Jive Sitemap Generator
      • Installation & Configuration - Mindbreeze InSpire Insight Apps in Microsoft SharePoint On-Prem
      • Mindbreeze InSpire Insight Apps in Microsoft SharePoint Online
      • Mindbreeze Web Parts for Microsoft SharePoint
      • User Defined Properties (SharePoint 2013 Connector)
      • Whitepaper - Mindbreeze InSpire Insight Apps in Salesforce
      • Whitepaper - Web Connector - Setting Up Advanced Javascript Usecases
    • Configuration
      • CAS_Authentication
      • Configuration - Alternative Search Suggestions and Automatic Search Expansion
      • Configuration - Back-End Credentials
      • Configuration - Chinese Tokenization Plugin (Jieba)
      • Configuration - CJK Tokenizer Plugin
      • Configuration - Collected Results
      • Configuration - CSV Metadata Mapping Item Transformation Service
      • Configuration - Entity Recognition
      • Configuration - Exporting Results
      • Configuration - External Query Service
      • Configuration - Filter Plugins
      • Configuration - GSA Late Binding Authentication
      • Configuration - Identity Conversion Service - Replacement Conversion
      • Configuration - InceptionImageFilter
      • Configuration - Index-Servlets
      • Configuration - Item Property Generator
      • Configuration - Japanese Language Tokenizer
      • Configuration - Kerberos Authentication
      • Configuration - Management Center Menu
      • Configuration - Metadata Enrichment
      • Configuration - Metadata Reference Builder Plugin
      • Configuration - Mindbreeze Proxy Environment (Remote Connector)
      • Configuration - Notifications
      • Configuration - Personalized Relevance
      • Configuration - Plugin Installation
      • Configuration - Principal Validation Plugin
      • Configuration - Profile
      • Configuration - Reporting Query Logs
      • Configuration - Reporting Query Performance Tests
      • Configuration - Request Header Session Authentication
      • Configuration - Shared Configuration (Windows)
      • Configuration - Vocabularies for Synonyms and Suggest
      • Configuration of Thumbnail Images
      • Cookie-Authentication
      • Documentation - Mindbreeze InSpire
      • I18n Item Transformation
      • Installation & Configuration - Outlook Add-In
      • Installation - GSA Base Configuration Package
      • JWT Authentication
      • Language detection - LanguageDetector Plugin
      • Mindbreeze Personalization
      • Mindbreeze Property Expression Language
      • Mindbreeze Query Expression Transformation
      • SAML-based Authentication
      • Trusted Peer Authentication for Mindbreeze InSpire
      • Using the InSpire Snapshot for Development in a CI_CD Scenario
      • Whitepaper - Create AWS 10M InSpire Appliance
      • Whitepaper - Create AWS 1M InSpire Appliance
      • Whitepaper - Create AWS 2M InSpire Appliance
      • Whitepaper - MMC_ Services
      • Whitepaper - Natural Language Question Answering (NLQA)
      • Whitepaper - SSO with Microsoft AAD or AD FS
      • Whitepaper - Text Classification Insight Services
    • Operations
      • app.telemetry Statistics Regarding Search Queries
      • Configuration - app.telemetry dashboards for usage analysis
      • Configuration Usage Analysis
      • Deletion of Hard Disks
      • Handbook - Backup & Restore
      • Handbook - Command Line Tools
      • Handbook - Distributed Operation (G7)
      • Handbook - Filemanager
      • Handbook - Indexing and Search Logs
      • Handbook - Updates and Downgrades
      • Index Operating Concepts
      • Inspire Diagnostics and Resource Monitoring
      • Mindbreeze InSpire SFX Update
      • Provision of app.telemetry Information on G7 Appliances via SNMPv3
      • Restoring to As-Delivered Condition
    • User Manual
      • Browser Extension
      • Cheat Sheet
      • iOS App
      • Keyboard Operation
    • SDK
      • api.v2.alertstrigger Interface Description
      • api.v2.export Interface Description
      • api.v2.personalization Interface Description
      • api.v2.search Interface Description
      • api.v2.suggest Interface Description
      • api.v3.admin.SnapshotService Interface Description
      • Debugging (Eclipse)
      • Developing an API V2 search request response transformer
      • Developing Item Transformation and Post Filter Plugins with the Mindbreeze SDK
      • Development of a Query Expression Transformer
      • Development of Insight Apps
      • Embedding the Insight App Designer
      • Java API Interface Description
    • Release Notes
      • Release Notes 20.1 Release - Mindbreeze InSpire
      • Release Notes 20.2 Release - Mindbreeze InSpire
      • Release Notes 20.3 Release - Mindbreeze InSpire
      • Release Notes 20.4 Release - Mindbreeze InSpire
      • Release Notes 20.5 Release - Mindbreeze InSpire
      • Release Notes 21.1 Release - Mindbreeze InSpire
      • Release Notes 21.2 Release - Mindbreeze InSpire
      • Release Notes 21.3 Release - Mindbreeze InSpire
      • Release Notes 22.1 Release - Mindbreeze InSpire
      • Release Notes 22.2 Release - Mindbreeze InSpire
      • Release Notes 22.3 Release - Mindbreeze InSpire
      • Release Notes 23.1 Release - Mindbreeze InSpire
      • Release Notes 23.2 Release - Mindbreeze InSpire
      • Release Notes 23.3 Release - Mindbreeze InSpire
      • Release Notes 23.4 Release - Mindbreeze InSpire
      • Release Notes 23.5 Release - Mindbreeze InSpire
      • Release Notes 23.6 Release - Mindbreeze InSpire
    • Security
      • Known Vulnerablities
    • Product Information
      • Product Information - Mindbreeze InSpire - Standby
      • Product Information - Mindbreeze InSpire
    Home

    Path

    Sure, you can handle it. But should you?
    Let our experts manage the tech maintenance while you focus on your business.
    See Consulting Packages

    Caching Principal Resolution Service

    Installation and Configuration

    Copyright ©

    Mindbreeze GmbH, A-4020 Linz, 2023.

    All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.

    These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

    For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

    Caching Principal Resolution Service: General SettingsPermanent link for this heading

    Cache SettingsPermanent link for this heading

    Identity Encryption Credential

    This option allows you to display the user identity in encrypted form in app.telemetry.

    Cache In Memory Items Size

    Number of elements stored in the cache. Depends on the available memory of the JVM.

    Database Directory Path

    The directory path of the cache.

    Example: /data/principal_resolution_cache

    If you are using a Mindbreeze Enterprise product, a path must be set.

    If you are using a Mindbreeze InSpire product, the path does not need to be set.

    Group Members Resolution And Inversion Threads

    This option determines the number of threads that will resolve parallel group members and invert those groups. Values less than 1 are assumed to be 1.

    In-Memory Containers Inversion Threshold (Advanced Setting)

    This option sets the maximum number of groups. If this number is exceeded, further RAM consumption during inversion is avoided by using hard disks.

    Cache Update SettingsPermanent link for this heading

    Cache Update Interval (Minutes)

    This option determines (in minutes) when the cache should be refreshed. (Default value: 60 minutes)

    Values below 0, disable the cache update.

    When starting the service, the last (persisted) cache update time is taken into account. This means that the cache is not necessarily updated when the service is stopped/started, for example, but only at the next time interval.

    Readonly (Advanced Setting)

    This option should only be used for Producer Consumer configurations. Consumer caches should have this option enabled if the "Readonly on Consumer" option is enabled in the Producer cache.

    Delete old cache after update

    This option is enabled by default and determines whether the old cache data should be deleted after each update.

    If this option is disabled, old cache data will not be deleted. This data will accumulate on your storage device, so it is recommended that this option is always enabled.

    Backup cache before cleaning

    If this option is selected, a copy of the cache is created in the /data/currentservice/<service name>/temp directory

    Clean Cache Update Schedule

    In this field you can configure cache cleanup and update using Extended Cron Expressions at specific times (documentation and examples of Cron Expressions can be found here)

    Clean Cache after each N updates

    In this field, you can enter a number (N) for the cache to be cleared and rebuilt after a certain number of updates (N).

    Retry Update Cache Run If Was Incomplete In (Minutes)

    This option determines (in minutes) when the cache should perform a new update process if an update was incomplete.

    Values below 0, disable the cache retry update.

    Health Check SettingsPermanent link for this heading

    A health check automatically checks the connection to the cache and restarts the service if connection problems are detected.

    This is done by sending a Health Check network request to the cache. If there is no response from the cache within the timeout period that is specified, this is considered to be a failure. This process is repeated until the maximum number of failures is exceeded or a response is received within the timeout.

    If the maximum number of failures is exceeded, the cache service is automatically restarted.

    Health Check Interval (Minutes)

    This option specifies the time interval in minutes after which a health check should be performed.

    Health Check max. Retries On Failure

    This option specifies how often the health check is repeated if it was not successful.

    If the number of repetitions specified here is exceeded, a restart is performed.

    Health Check Request Timeout (ms)

    This option specifies the time in milliseconds within which the response must come back to the health check for the health check to be considered successful.

    Service SettingsPermanent link for this heading

    Webservice Port

    The service is available on the specified port. If multiple Principal Resolution Services are configured, make sure that they have different "Webservice Port" parameters and that they are available.

    Identity Alias Name Property

    This option allows you to use properties in the identity to search for group memberships in the cache by their value.

    Lowercase Principals

    With this option, all principals supplied by the cache are written down.

    Preserve Case for Principals Matching Pattern

    This option allows to keep certain principals (defined by regex patterns) in their original format (not lowercase).

    Case Insensitive Member Resolution

    This option determines whether users are checked regardless of their capitalization.

    Exclude Principals Pattern

    This option allows you to remove specific principals for all users from their principals list.

    Suppress Anonymous Users Principals

    This option can be used, for example, to suppress the "Everyone" principle for anonymous users, i.e. anonymous users cannot find public documents either.

    Suppress External Service Calls

    The "Suppress External Service Calls" option prevents external services, e.g., LDAP, from being queried during the search.

    Resolve non-anonymous principal to all registered users.

    This option determines whether "normal" (non-anonymous) users belong to the group that contains all users.

    Parent Cache SettingsPermanent link for this heading

    Use Parent Principals Cache Service

    If this option is enabled, additional groups of the user are resolved and delivered in another cache (Parent Cache).

    Parent Principals Cache Service Port

    The port used for the "Use Parent Principals Cache Service" option if enabled.

    Parent Cache Principals Include Patterns

    If empty, all parent cache principals are included, otherwise a parent principal must match at least one pattern (case-insensitive) to be included.

    Parent Cache Principals Exclude Patterns

    Parent cache principals that match at least one pattern line (case-insensitive) are excluded. "exclude patterns" have priority over "include patterns".

    Consumer Services (Advanced Setting)Permanent link for this heading

    See Producer Consumer Configuration.

    Caching Principal Resolution Service (Active Directory LDAP)Permanent link for this heading

    1. Add a “CachingLdapPrincipalResolution” service under “Services” in the “Indices” tab.

    1. “LDAP Server Hostname“ should only be configured to overwrite the configuration of “Preferred LDAP Server” under “LDAP Settings” (in the “Network”  tab). The required login information “LDAP Credential” can be selected either directly here or in the “Network” tab under “Endpoints.”

    If “LDAP Connection Encryption” is selected the “Connection Encryption” under “LDAP Settings” in the “Network” tab is overwritten. The SSL protocol (LDAPS) on port 636 or the TLS protocol (StartTLS) on port 389 can be selected. If Unencrypted is selected, no encryption is performed.

    1. In order to cache user and groups of different domains from the same Active Directory Forest or other Active Directory Forests (Trusted Domain Foreign Security Principals) their domain names should be configured in Domain Name field of LDAP Settings. The corresponding Credentials and Endpoints should be provided accordingly.

    1. The Location can be configured as dns://<domain> (e.g. dns://mycompany.com) to use these credentials for multiple LDAP servers at the same time in one DNS domain. It is also possible to assign a credential directly to an LDAP server: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

    1. If no login information is configured, Kerberos is used. To do this, a valid keytab must first be uploaded under Linux and selected for this service under “Setup Kerberos Authentication.”

    1. In the Kerberos authentication case, the UPN (User Principal Name) attribute of the user from the LDAP directory is used as a key for cache search. If another authentication method is used, which would send the user’s e-mail address for instance, the corresponding LDAP attributes, in this case mail, should be configured as “Alias Name LDAP Attribute”.  In addition, the “Identity Alias Name Property” field should contain the property name provided by authentication. The attributes “msDS-principalName” und “userPrincipalName” are automatically saved for all users because they are used by the client service during Kerberos authentication. Therefore, they should not be configured as user aliases. If only one domain is configured, the attribute “sameaccountname” is also automatically added.

    1. If the ACLs are not normalized during indexing, i.e. they are not converted to DN format and they correspond, for example, to the “msDS-principalName“ attribute of a group in the active directory, then the “Group Alias Name LDAP Attribute“ should also be configured.

    1. If users have different alias names in multiple domains, aliases from certain domains can be deprioritized using “Deprioritize Alias Names From Domain.” As a result, the principals in these domains are not added to the list of user principals.
    2. Using “Suppress ‘Everyone’ Principal For Domain“ and “Suppress ‘Authenticated Users‘ Principal For Domain“ prevents users from being treated as members of these groups.

    If only certain groups or users are to be stored in the cache, the "Group Filters" or "User Filters" can be configured and used for this purpose. The filters must correspond to the LDAP filter syntax. The cache structure can be restricted to certain ActiveDirectory organizational units. Therefore it is necessary to configure the "Exclude Base DN" and "Include Base DN" options accordingly. The "Distinguished Name" of all users and groups is compared with the individual lines of the configured "Include Base DN" and "Exclude Base DN" to include or exclude the user or group. The "Exclude Base DN" option is applied first.

    1. By selecting the “Include Identity Principals” option, you can also search the cache for identity principals that are sent with the identity itself and find their group memberships. However,
    2. “Identity Alias Name Property” allows you to use properties located in the identity in order to use their value to search the cache for group memberships.
    3. Further settings can be found under General Settings.



    6. “Preserve Case for Principals Matching Pattern“ allows you to keep certain principals (defined by Regex pattern) in the original format (not lower case).
    7. “Exclude Principals Pattern“ allows you to remove certain principals for all users from their principals list.
    8. Configuring “Foreign Security Principal Domains“ enables optimized  resolution of foreign security principals (users or groups from trusted domains). Foreign security principals are resolved for the entire domain at startup and cached until next update. For example: If the users or groups of domain1.com are added in some groups of the domain2.com then only domain1.com should be configured in this field. If this field is empty then foreign security principals will be resolved individually which, in extreme cases, may cause performance issues (timeouts) if there is a very high number of foreign security principals. All involved domains should be already configured in LDAP Setting section of Network tab.
    9. “Suppress Anonymous Users Principals“ makes it possible, for example, to suppress the “Everyone” principal for anonymous users, meaning anonymous users cannot even find public documents.
    10. “Resolve non anonymous principal to all registered users“ determines whether "normal" (non-anonymous) users belong to the group that contains all users.

    "Include Principals Rule" allows you to add new principals for all users (if these users match a configured Regex pattern). It can also be used to create "pseudogroups", i.e. groups that implicitly contain all users. For example, with the "Pattern" .* (matches all) and the "Principal" myportal-users a pseudogroup myportal-users can be created. Each user is thus a member of the pseudogroup myportal-users.

    1. “Suppress LDAP Queries“ prevents LDAP queries from being made to find these groups.
    2. „Case Insensitive Member Resolution“ determines if principals are checked in a case-insensitive manner. (Default: active)
    3. The “Use Parent Principal Cache Service“ and “Parent Principal Cache Service Port” options enable the group membership resolution of the user in another cache (parent cache). This means that the groups resolved by the parent cache are also returned as group membership.

    1. Finally, select this service in the crawler configuration under “Caching Principal Resolution Service”. See chapter 5.

    Caching Principal Resolution Service (Novell LDAP)Permanent link for this heading

    1. Add a “CachingNovellLdapPrincipalResolution” service under “Services” in the “Indices” tab.

    1. “LDAP Server Hostname” should only be configured to overwrite the configuration “Preferred LDAP Server” in the “LDAP Settings” in the “Network” tab. The required login information “LDAP Credential” can either be selected directly here or in the “Network” tab under “Endpoints.”

    1. The location for an LDAP server has this format: ldap://<ldapserver hostname> (e.g. ldap://ldapserver.mycompany.com).

    1. The “Username” must be specified in DN format and the “Domain” field must be left blank.

    1. For further configuration parameters see: Caching Principal Resolution (Active Directory LDAP).

    Configuring the data sources for the Caching Principal Resolution Service.Permanent link for this heading

    Select one of the configured caching principal resolution services in “Data Source”. For example, Caching LDAP Principal Resolution can be selected for a file system data source (in the screenshot “FS Data Source”).

    Producer Consumer ConfigurationPermanent link for this heading

    Producer CachePermanent link for this heading

    On the producer node, click on "Add Property" in the "Consumer Services" section and configure the following fields:

    Readonly on Consumer

    This checkbox should be selected only on producer nodes of Mindbreeze InSpire environments with producer and consumer nodes. Local updates on all consumer nodes will be disabled. If Consumers Base URLs are configured, then only those configured consumers will be updated remotely. The explicit configuration of consumer is not recommended in situations where some consumer nodes are disabled or their role is change in MMC nodes setup. In such dynamic nodes situations, it is recommended to select only this checkbox, the consumers will be detected automatically according to current MMC nodes setup.

    Base URL

    The URL to the Mindbreeze Management Center of the Mindbreeze InSpire consumer appliance. If hosted in the cloud, usually https://mycompany.mindbreeze.com:8443

    Windows: Base URL should be directly the consumer cache URL (HTTP). E.g. http://consumerhost:23900

    Realm

    The target realm used by the consumer appliance.Default: "master".

    Windows: Realm should be empty

    Service Port

    The Caching Principal Resolution Service Port on the Mindbreeze InSpire Appliance

    Windows: Service Port should be empty

    Disable

    To disable updating the remote cache

    Consumer CachePermanent link for this heading

    On InSpire environments with producer and consumer nodes local cache updates are disabled on consumers if “Readonly on Consumer” option is selected on producer nodes. On other environments activate the "Readonly" checkbox manually. No further configuration is necessary. After each cache update on producer all of the consumer caches are automatically synchronized.

    Principal Resolution Service REST APIPermanent link for this heading

    URL

    Description

    http://localhost:23900/control?action=updatecache

    Updates all containers.

    http://localhost:23900/control?action=updatecache&container=<containerid>&isunifiedid=false

    Updates <containerid> only.

    http://localhost:23900/control?action=updatecache&partition=<partition>

    Updates only one partition.

    http://localhost:23900/control?action=updatecache&scope=full

    Performs a complete update

    http://localhost:23900/control?action=updatecache&scope=clean

    Performs a cleanup and a full update.

    http://localhost:23900/control?action=cancelupdate

    Aborts a running update.

    http://localhost:23900/control?action=checkconsistency&individualid=<userid>&isunifiedid=false

    Checks if cached principals match <userid> with the principals provided by the source. If “all” is used instead of <userid>, the check is performed for all users.

    http://localhost:23900/control?action=checkprincipals&individualid=<userid>&timeoutms=<milliseconds>

    Returns principals with <userid> from the cache. <userid> should not be a unified ID.

    http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&aliasnameattribute=<attribute>&aliasname=<aliasname>&timeoutms=<milliseconds>  

    Returns principals with alias names. <aliasnameattribute> should be the configured  “Service Request Identity Alias Name Property.”

    http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&isanonymous=true&timeoutms=<milliseconds>

    Returns principals of anonymous users

    http://localhost:23900/control?action=export&path=/data/tmp/export

    Exports all database tables in CSV format.

    http://localhost:23900/control?action=reopencache&path=c:\newcache

    Reopens the cache in an empty directory. The cache should be updated after reopening.

    http://localhost:23900/info?key=cachedir

    Returns the currently used cache directory.

    http://localhost:23900/control?action=updateprincipalmembership&container=<container>&individuals=<individuals>

    <individuals> List of individuals separated by ";" – e.g. user1; user2.

    http://localhost:23900/control?action=printstacktraces

    Outputs the current status of all threads.

    http://localhost:23900/control?action=reset&aliasnames=true&partition=<partition>

    Resets the alias names of a partition.

    http://localhost:23900/control?action=syncconsumers

    All configured consumer caches are synchronized.

    http://localhost:23900/control?action=setLogCacheUpdateCalls&value=true

    Enables debug logging of all the calls which the caching framework makes in order to get into its current state. (can be deactivated with “value=false”).

    Download PDF

    • Installation & Configuration - Caching Principal Resolution Service

    Content

    • Caching Principal Resolution Service: General Settings
    • Caching Principal Resolution Service (Active Directory LDAP)
    • Caching Principal Resolution Service (Novell LDAP)
    • Configuring the data sources for the Caching Principal Resolution Service.
    • Producer Consumer Configuration
    • Principal Resolution Service REST API

    Download PDF

    • Installation & Configuration - Caching Principal Resolution Service