Overview
The Active Directory Security Module (security-ad), contains two LDAP principal scanners (In addition to the Active Directory scanners) - the Ldap scanner and the Ldap - Shared Configuration scanner. The Ldap scanner is easier to use because it can be configured from the UI. The Ldap - Shared Configuration scanner could be used to create a single configuration for both the Ldap principal scanner and the Ldap authentication provider.
These Ldap scanners perform two LDAP queries: The first query resolves all groups and the second query resolves all users and memberships.
The following attributes are used to generate Attivio principal IDs: The user's principal id is set to the value of the uid attribute and the group's principal id is set to the value of the cn (common name) attribute.
Required Modules
These features require that the security-ad module be included when you run createproject to create the project directories.
Configuring an LDAP Scanner from the Admin UI
A new LDAP scanner can be created from the http://<host>:17000/admin/connectors admin page - click the +New tab and choose the Ldap connector.
See the Configuration Options section below for the typically used scanner parameters.
Configuring an LDAP Scanner from a Shared Configuration Bean
Two steps are required to configure an LDAP scanner - Shared Configuration
- Define a configuration bean. See the LdapDirectoryConfig Bean Properties section in Active Directory and LDAP Configuration.
- Configure the Ldap -Shared Configuration scanner from the admin UI and specify the Ldap Config Bean property. If the bean name is, for example, ldapDirectoryConfig then specify ldapDirectoryConfig.
Permissions
The bindDn user must have search permission for userSearchBase and groupSearchBase org units.
Incremental Scan
Incremental Options
The LDAP Principal Scanner can be configured to scan incrementally. There are two incremental scan features which can be turned on and off independently:
- Incrementally ingest only modified users and groups.
- Delete obsolete principals (users and groups which were deleted from LDAP).
The incremental functionality is implemented using a history log mechanism. The the initial scan records all the scanned principals and their signatures. The signature of a principal is a checksum number that captures all the principal's relevant information. A change of the signature signals the LDAP principal scanner, in subsequent runs, that the principal must be re-ingested. Principals that were ingested before but are not seen in subsequent runs are deleted from the Attivio index if the incremental deletion option is turned on.
Reset
The Reset tab is used to erase the history log. The next scan after applying reset will be a full scan - all configured users and groups will be ingested.
Reset should not be normally used in production environmet since users and groups deleted between the Reset application and the next scan will not be automatically deleted.
Configuration Options
The main configuration parameters are described below. All the configuration parameters are documented in the LdapScannerViaProperties configuration page. The scanner can be created and configured from the admin/connectors page.
Property | Description |
|---|---|
Security Realm ID | The realm assigned to all principals. |
LDAP URI | URL to the LDAP server. See JDNI Tutorial for syntax. |
Bind User | The distinguished name of an LDAP user (must have search permission). |
Bind Password | Password for the Bind User. This field can be encrypted using the "aie-exec password" command. |
User Search Base | Org Unit (aka. folder) of the LDAP server that contains all Users objects. |
User Search Filter | LDAP Filter used to restrict users. |
Group Search Base | Org Unit (aka. folder) of the LDAP server that contains all Group objects. |
Group Search Filter | LDAP Filter used to restrict groups. |
Content Security
Use the AIE Role Assignments UI to view ingested and committed Content Security principals and debug potential security issues.
Role-Based Security
Use the Role-Based Security UI to view ingested and committed Role-Based principals and assign roles. For Business Center, the Manage Attivio and Business Center Users UI should be used instead.