Page tree
Skip to end of metadata
Go to start of metadata


The Active Directory Security Module (security-ad), contains two LDAP principal scanners (In addition to the Active Directory scanners) -  the Ldap scanner and the Ldap - Shared Configuration scanner. The  Ldap scanner is easier to use because it can be configured from the UI. The  Ldap - Shared Configuration scanner could be used to create a single configuration for both the Ldap principal scanner and the Ldap authentication provider.

These Ldap scanners perform two LDAP queries: The first query resolves all groups and the second query resolves all users and memberships.

The following attributes are used to generate Attivio principal IDs:  The user's principal id is set to the value of the uid attribute and the group's principal id is set to the value of the  cn (common name) attribute.

Required Modules

These features require that the security-ad module be included when you run createproject to create the project directories.

Configuring an LDAP Scanner from the Admin UI

A new LDAP scanner can be created from the http://<host>:17000/admin/connectors admin page - click the +New tab and choose the Ldap connector.

See the Configuration Options section below for the typically used scanner parameters.

Configuring an LDAP Scanner from a Shared Configuration Bean

Two steps are required to configure an LDAP scanner - Shared Configuration

  • Define a configuration bean. See the LdapDirectoryConfig Bean Properties section in Active Directory and LDAP Configuration.
  • Configure the Ldap -Shared Configuration scanner from the admin UI and specify the Ldap Config Bean property. If the bean name is, for example, ldapDirectoryConfig then specify ldapDirectoryConfig.


The bindDn user must have search permission for userSearchBase and groupSearchBase org units.

Incremental Scan

Incremental Options

The LDAP Principal Scanner can be configured to scan incrementally. There are two incremental scan  features which can be turned on and off independently:

  • Incrementally ingest only modified users and groups.
  • Delete obsolete principals  (users and groups which were deleted from LDAP).

The incremental functionality is implemented using a history log mechanism. The the initial scan records all the scanned principals and their signatures. The signature of a principal is a checksum number that captures all the principal's relevant information. A change of the signature signals the LDAP principal scanner, in subsequent runs, that the principal must be re-ingested. Principals that were ingested before but are not seen in subsequent runs are deleted from the Attivio index if the incremental  deletion option is turned on.


The Reset tab is used to erase the history log. The next scan after applying reset will be a full scan - all configured users and groups will be ingested.

Reset should not be normally used in production environmet since users and groups deleted between the Reset application and the next scan will not be automatically deleted.

Configuration Options

The main configuration parameters are described below. All the configuration parameters are documented in the LdapScannerViaProperties configuration page. The scanner can be created and configured  from the admin/connectors page.



Security Realm ID

The realm assigned to all principals.


URL to the LDAP server. See JDNI Tutorial for syntax.

Bind User

The distinguished name of an LDAP user (must have search permission).

Bind Password

Password for the Bind User. This field can be encrypted using the "aie-exec password" command.

User Search Base

Org Unit (aka. folder) of the LDAP server that contains all Users objects.

User Search Filter

LDAP Filter used to restrict users.

Group Search Base

Org Unit (aka. folder) of the LDAP server that contains all Group objects.

Group Search Filter

LDAP Filter used to restrict groups.

Content Security

Use the AIE Role Assignments UI to view ingested and committed Content Security principals and debug potential security issues.

Role-Based Security

Use the Role-Based Security UI to view ingested and committed Role-Based principals and assign roles. For Business Center, the Manage Attivio and Business Center Users UI should be used instead.

  • No labels