Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Active Directory Security Module (security-ad), has two scanners, the ActiveDirectoryScanner and the ActiveDirectoryScannerViaProperties, which ingest users and groups from an Active Directory server. ActiveDirectoryScanner can be configured with the Active Directory and LDAP Configuration object, or ActiveDirectoryScannerViaProperties can be configured by setting properties directly on the scanner. These scanners perform two LDAP queries. The first query resolves all groups and the second query resolves all users and memberships. By default, a user's principal id is set to objectSid and a group's principal id is set to distinguishedName.

Required Modules

These features require that the security-ad module be included when you run createproject to create the project directories.

It is easier to use the ActiveDirectoryScanner with a shared configuration bean when configuring multiple Active Directory objects in AIE. But note that the individual properties can not be configured via the Connector UI for this scanner. The UI can only be used to modify which Active Directory Configuration bean should be used for connection.


View incoming links.

Permissions

The bindDn user must have the following permissions:

  • search permission for userSearchBase and groupSearchBase org units.
  • search permission for the Deleted Objects org unit (if incremental deletes is enabled).

Configuration

You can configure the scanner to ingest for content security or role-based user security as follows. 

Ingest Principals (Users and Groups)

The following example creates the Active Directory Scanner using a shared Active Directory and LDAP Configuration bean.  This "activeDirectoryConnector" can be used to ingest all users and groups from Active Directory, as specified by the shared activeDirectoryConfig bean.  

<project-dir>/conf/connector/activeDirectoryConnector.xml
<?xml version="1.0" encoding="UTF-8"?>
<connector xmlns="http://www.attivio.com/configuration/type/connectorType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="activeDirectoryConnector" xsi:schemaLocation="http://www.attivio.com/configuration/type/connectorType http://www.attivio.com/configuration/type/connectorType.xsd http://www.attivio.com/configuration/type/componentType http://www.attivio.com/configuration/type/componentType.xsd ">

  <scanner class="com.attivio.securityad.connector.ActiveDirectoryScanner">
    <properties xmlns="http://www.attivio.com/configuration/type/componentType">
      <container-property name="config" reference="activeDirectoryConfig"/>
    </properties>
  </scanner>
  <feeder class="com.attivio.connector.DirectMessagePublisher">
    <properties xmlns="http://www.attivio.com/configuration/type/componentType">
      <list name="documentStoreFilterFields">
        <entry value="table"/>
      </list>
      <map name="sizeToDomain"/>
      <property name="ingestWorkflowName" value="ingestPrincipals"/>
    </properties>
  </feeder>

</connector>

 

The following example creates an Active Directory Scanner using Active Directory properties directly on the scanner.

<project-dir>/conf/connector/activeDirectoryConnector.xml
<?xml version="1.0" encoding="UTF-8"?>
<connector xmlns="http://www.attivio.com/configuration/type/connectorType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="activeDirectoryConnector" xsi:schemaLocation="http://www.attivio.com/configuration/type/connectorType http://www.attivio.com/configuration/type/connectorType.xsd http://www.attivio.com/configuration/type/componentType http://www.attivio.com/configuration/type/componentType.xsd ">


  <scanner class="com.attivio.connector.ActiveDirectoryScannerViaProperties">
    <properties xmlns="http://www.attivio.com/configuration/type/componentType">
		<property name="realmId"       	    value="ActiveDirectoryRealm"/>
		<property name="url"           	    value="ldap://hostname"/>
		<property name="bindDn"        	    value=""/>
		<property name="bindPassword"  	    value=""/>
		<property name="userSearchBase"     value="DC=attivio,DC=com"/>
		<property name="userSearchFilter"   value=""/>
		<property name="groupSearchBase"    value="DC=attivio,DC=com"/>
		<property name="groupSearchFilter"  value=""/>
    </properties>
  </scanner>
  <feeder class="com.attivio.connector.DirectMessagePublisher">
    <properties xmlns="http://www.attivio.com/configuration/type/componentType">
      <list name="documentStoreFilterFields">
        <entry value="table"/>
      </list>
      <map name="sizeToDomain"/>
      <property name="ingestWorkflowName" value="ingestPrincipals"/>
    </properties>
  </feeder>
</connector>

 

Content Security

Use the AIE Role Assignments UI to view ingested and committed Content Security principals and debug potential security issues.

Role-Based Security

Use the Role-Based Security UI to view ingested and committed Role-Based principals and assign roles. For Business Center, the Manage Attivio and Business Center Users UI should be used instead.

Scanning Active Directory Over SSL

Detailed steps are here: Configuring Active Directory Principal Scanner work over SSL

See Also

  • No labels