Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing directories over an IP network. Data is stored in entries, which build up a hierarchical, tree like structure. Each entry has a unique name (DN, Distinguished Name), which depicts its position within the tree. An entry consists of key/value pairs, the attributes
LDAP is used to authenticate users before returning secure search results. When a user connects to the Google Search Appliance and requests a search for secure results, the search appliance asks for credentials from the user. These credentials are then forwarded to the LDAP server for validation.
The search appliance tries to auto-detect the LDAP configuration settings. When the used LDAP is Active Directory the detection is successful. In case another LDAP is used, like Apache Directory Server, normally the detection fails hence the values have to be added manually. In order to do this, you can force the advanced settings to appear by clicking the Go to advanced settings page even if detection fails checkbox
How to integrate the search appliance with an LDAP Server is described in: Integrating the Search Appliance with an LDAP Server
The search appliance can be enabled to automatically look up group information for a user during authentication.
To enable group lookup:
Important:
Kerberos is a network authentication protocol that enables client and server applications to perform mutual authentication for the duration of a user's login session.
It is a silent authentication method where the users submit passwords once to access all services, typically during network logon. The user logs onto the network and receives a Ticket Granting Ticket (TGT) so the user’s client can authenticate itself with the Key Distribution Center (KDC) and obtain service tickets.
When the search appliance is configured to use IWA / Kerberos authentication, the search appliance checks the user's session ticket against a KDC before displaying secure search results to a user. For Windows servers, the domain controller acts as the KDC for Kerberos authentication.
Currently, Kerberos can only be used during serve time, Kerberos is only supported for crawling content in version 6.10.
In Windows Server, as a domain controller administrator, a new object-user account for the search appliance needs to be created with these characteristics:
The appliance has to be registered to the Service Principal Name. Execute the next command to register the GSA SPN:
setspn -a HTTP/FQDN_of_the_searchappliance GSA_USER
This file is encrypted and stored on the GSA during the configuration. It contains a private key for decrypting the GSA service tickets and validating users without contacting the KDC. The file has to be created with the following command:
ktpass -princ HTTP/FQDN_of_the_searchappliance@DOMAIN_NAME -mapuser DOMAIN_NAME\searchappliance_username -pass searchappliance_password -out filename.keytab -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL
Once the Keytab file is created it has to be valided. Use Kerberos Setup Validation Utility to check the Keytab file and GSA user configuration.
Users who query the search appliance must have their web browsers configured to use Kerberos authentication. Below is described how to configure IE and Firefox:
Safari is not a supported browser because it doesn’t forward Kerberos tickets
In Serving > Universal Login Auth Mechanisms, fill the Kerberos based form with the following parameters:
Field | Value |
---|---|
Specify a Kerberos Key Distribution Center (KDC) / Windows Domain Controller (DC) | DOMAIN_NAME |
Enable KDC DNS Lookup | Checked |
Import a Kerberos Service Key Table ("keytab") File | Import the Keytab file generated in the above steps |
Credential Group | Default |
Enable Kerberos Support | Checked |
Mechanism Name | Add the desired name |
An authentication rule instructing the crawler how to authenticate when crawling the protected content has to be created. An authentication rule consists of a URL pattern matching the protected files, username, domain (if using NTLM or Kerberos), and password. Using the Make Public checkbox, will allow users to get results on both the public content (normally available to everyone) and the secure (confidential) content.
To set options for crawling secure content: