LDAP Cache Service Tutorial


Visit the Aspire UI and log in if necessary. You will be presented with the home screen.

  1. Click Settings to load the Services console.


Settings menu

 

2. You should now see the following screen.

Services Manager

Services management page

 

3. Choose Add Service and select LDAP Group Cache.

 



Service selection

 

4. The service will now load the configuration screen. This may take a moment if the connection to the internet is slow. Once the service has been downloaded, you will see the following:

 



Service configuration

 

5. Enter a service name or leave as default.

 

6. Click the Service tab at the top of the screen or use the “arrow” at the right of the screen to move to the service configuration screen. You will now see the service configuration.

7. Choose the Group Expansion Manager you have previously installed, then fill in the Active Directory connection properties. The Search base is the start point in the directory tree from where searches will be performed, and Scope can be set to define how far down the tree the search will descend – either just the search base, the base and the next level, or the default of the entire Subtree.

User query should be an ldap formed query that will return all of the users that you wish to cache. Typically this will be something like (objectClass=user) although in our case this brings back computer accounts and we are not interested in these, so we extend the query to exclude these using (&(objectClass=user)(!(objectClass=computer))) instead. Group query is the query to return all groups you wish to cache, typically (objectClass=group).

 



Service configuration

8. Scroll the screen to see the Mapping attributes section. In the Mapping attributes fill in the attributes that will allow the user to group mapping to be performed. You must specify the attribute (or the pseudo attribute dn, sometimes it comes as cn) that uniquely identifies the users and groups (the User key and Group key entries) and the attribute that holds the value to be used as the user name and group name (the User name and Group name entries). You also need to specify the Group mapping attribute and whether the Groups hold members.

Notice that any attribute you use in the mappings MUST be specified in the user and group attributes cache. In the following example, as the groups are specified in each user you need to specify the "memberOf" attribute as an user attribute in the cache.

 

Service configuration

 

9. Choose the frequency with which the cache should be refreshed by setting the schedule.

Select Save to save the configuration and load the service. This may take a moment while the required components are downloaded. Afterthe service is installed, you will be taken back to the Services home page.

 



Content source management page

How the configuration is used

With the above configuration, when the cache refreshes, it will download all the users using the query (objectClass=user) and store each returned user in a map against its dn.

Then it will do the same for groups using the query (userClass=group).

After all of the objects are downloaded, it will consider each user in turn (because Groups hold members is not set, which means that user object hold the groups to which they belong.

For each user, it will retrieve all memberOf attributes (as configured by the Group mapping attribute). Each memberOf attribute will hold the identifier of a group to which this belongs. In the case of a typical Active Directory configuration, this identifier is the dn of the group object. This identifier will be looked up in the map (which holds the group objects against their unique identifier – a dn) and will find a group object.

After all of the memberOf attributes have been considered, we will have a list of all the group objects. We can then establish the names of the users and groups from the objects we have by finding the value of the sAMAccountName attribute (as configured in the User Name and Group Name entries).

When this is complete, we will have a user name and a list of group names and this information will be inserted in to the cache.


 

  • No labels