The Active Directory Security Module (security-ad), contains two LDAP principal scanners (In addition to the Active Directory scanners) - the Ldap scanner and the Ldap - Shared Configuration scanner. The Ldap scanner is easier to use because it can be configured from the UI. The Ldap - Shared Configuration scanner could be used to create a single configuration for both the Ldap principal scanner and the Ldap authentication provider.
These Ldap scanners perform two LDAP queries: The first query resolves all groups and the second query resolves all users and memberships.
The following attributes are used to generate Attivio principal IDs: The user's principal id is set to the value of the uid attribute and the group's principal id is set to the value of the cn (common name) attribute.
These features require that the security-ad module be included when you run createproject to create the project directories.
Configuring an LDAP Scanner from the Admin UI
A new LDAP scanner can be created from the http://<host>:17000/admin/connectors admin page - click the +New tab and choose the Ldap connector.
See the Configuration Options section below for the typically used scanner parameters.
Configuring an LDAP Scanner from a Shared Configuration Bean
Two steps are required to configure an LDAP scanner - Shared Configuration
- Define a configuration bean. See the LdapDirectoryConfig Bean Properties section in Active Directory and LDAP Configuration.
- Configure the Ldap -Shared Configuration scanner from the admin UI and specify the Ldap Config Bean property. If the bean name is, for example, ldapDirectoryConfig then specify ldapDirectoryConfig.
bindDn user must have search permission for
groupSearchBase org units.
The LDAP Principal Scanner can be configured to scan incrementally. There are two incremental scan features which can be turned on and off independently:
- Incrementally ingest only modified users and groups.
- Delete obsolete principals (users and groups which were deleted from LDAP).
The incremental functionality is implemented using a history log mechanism. The the initial scan records all the scanned principals and their signatures. The signature of a principal is a checksum number that captures all the principal's relevant information. A change of the signature signals the LDAP principal scanner, in subsequent runs, that the principal must be re-ingested. Principals that were ingested before but are not seen in subsequent runs are deleted from the Attivio index if the incremental deletion option is turned on.
The Reset tab is used to erase the history log. The next scan after applying reset will be a full scan - all configured users and groups will be ingested.
Reset should not be normally used in production environmet since users and groups deleted between the Reset application and the next scan will not be automatically deleted.
The main configuration parameters are described below. All the configuration parameters are documented in the LdapScannerViaProperties configuration page. The scanner can be created and configured from the admin/connectors page.
Security Realm ID
The realm assigned to all principals.
URL to the LDAP server. See JDNI Tutorial for syntax.
The distinguished name of an LDAP user (must have search permission).
Password for the Bind User. This field can be encrypted using the "aie-exec password" command.
User Search Base
Org Unit (aka. folder) of the LDAP server that contains all Users objects.
User Search Filter
LDAP Filter used to restrict users.
Group Search Base
Org Unit (aka. folder) of the LDAP server that contains all Group objects.
Group Search Filter
LDAP Filter used to restrict groups.
Use the AIE Role Assignments UI to view ingested and committed Content Security principals and debug potential security issues.