The LDAP Group Cache app-bundle is loaded as the LDAP Cache Service and contains the functionality to download users and groups and their attributes from LDAP.
The bundle uses the following components:
This section lists all configuration parameters available to install the LDAP services Application Bundle.
Property | Type | Default | Description |
---|---|---|---|
useScript | boolean | false | If false, the bundle will expect to connect to an LDAP server to populate the cache. If true, cache population will run a script |
enableLdapConnector | boolean | true | If true, the bundle will load an LDAP connector to provide LDAP connectivity |
scriptFile | String | [Required (script)] | The name of the script to run to gather the information for cache population |
jsonScript | boolean | false | If true, treat the script output as JSON. Otherwise treat it as XML |
server | string | The LDAP server host address. Example: ldap//10.10.44.82:389 | |
authentication | string | anonymous | Authentication type used for any LDAP request. Options are 'none', 'simple' and 'DIGEST-MD5'. |
user | string | N/A | Username used to authenticate against the given LDAP server. If 'none' authentication type was selected, you can ignore this. |
password | string | N/A | Password used to authenticate against the given LDAP server. If 'none' authentication type was selected, you can ignore this. |
readTimeout | int | 600000 (=60s) | Read timeout in ms. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
connectTimeout | int | 600000 (=60s) | Connection timeout in ms. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
searchBase | string | [Required (ldap)] | The base directory in the LDAP for searches. Normally this is the domain of the LDAP server. |
scope | int | 2 | The scope of the LDAP for searches. 0 = search base only, 1 = search base and immediate children, 2 = subdirectory |
userQuery | string | [Required (ldap)] | The LDAP query used to find all users to be cached |
userAttributes | XML | The LDAP attributes to be retrieved and stored in the cache for users | |
groupQuery | string | [Required (ldap)] | The LDAP query used to find all users to be cached |
groupAttributes | XML | <all> | The LDAP attributes to be retrieved and stored in the cache for groups |
userKeyAttr | string | dn (a pseudo attribute representing the object dn) | The attribute in LDAP that is the unique key for the user |
userNameAttr | string | sAMAccountName | The attribute in LDAP that holds the account name |
groupKeyAttr | string | dn (a pseudo attribute representing the object dn) | The attribute in LDAP that is the unique key for the group |
groupNameAttr | string | sAMAccountName | The attribute in LDAP that holds the account name |
groupMappingAttr | string | memberOf | The attribute in LDAP that holds the groups for a user, or users for a group |
groupsHoldMembers | boolean | false | If true, group objects reference their members (typically via a uniqueMember attribute). If false, user objects reference their groups (typically via a memberOf attribute). |
lowerCase | boolean | false | Tells if group names retrieved from LDAP should be changed to lower case. |
retryDelay | long | 0 | The delay following an error before a retry is attempted. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
retries | long | 1 | The number of retries attempted, should an error occur, for an LDAP request before an Exception is thrown |
pageSize | int | 1000 | The page size of the search query (max 1000). If there are less results for a search than the page size, a single page will be returned. If there are more, the results will be returned in pages. This will be transparent to the client |
stripRequestDomain | boolean | false | If true, any domain on the user given in the group expansion request will be removed before the request is made to the server |
addRequestDomain | String | If given, the given domain will be added to the user given in the group expansion request (overwriting any existing domain) before the request is made to the server | |
stripResponseDomain | boolean | false | If true, any domain on the groups returned from the group expansion server will be removed before the group expansion request is returned |
addResponseDomain | String | If given, the given domain will be added to the groups returned from the group expansion server will be removed before the group expansion request is returned | |
staticGroups | XML | Any groups added here will be added (exactly as specified here) to the group expansion request before it is returned | |
addPublic | boolean | false | If true, the generic public:all group will be added to the group expansion request before it is returned |
debug | Boolean | false | Controls whether debugging is enabled for the application. Debug messages will be written to the log files. |
To install the application bundle, connecting to an LDAP server to for cache population, add the configuration, as follows, to the <autoStart> section of the Aspire settings.xml.
<?xml version="1.0" encoding="UTF-8"?> <application config="com.searchtechnologies.aspire:app-ldap-group-cache"> <properties> <property name="useScript">false</property> <property name="enableLdapConnector">true</property> <property name="server">ldap://10.10.20.7:389</property> <property name="authentication">simple</property> <property name="user">search\sdenny</property> <property name="password">encrypted:0E206C5AED2A061A0B929A128B512652</property> <property name="connectTimeout">15s</property> <property name="readTimeout">15s</property> <property name="searchBase">dc=search,dc=local</property> <property name="scope">2</property> <property name="userQuery">(&(objectClass=user)(objectClass=organizationalPerson)(!(objectClass=computer)))</property> <property name="userAttributes"><users><attribute>cn</attribute><attribute>sn</attribute><attribute>c</attribute><attribute>l</attribute><attribute>title</attribute><attribute>description</attribute><attribute>telephoneNumber</attribute><attribute>givenName</attribute><attribute>memberOf</attribute><attribute>sAMAccountName</attribute><attribute>mail</attribute></users></property> <property name="groupQuery">(objectClass=group)</property> <property name="groupAttributes"><groups><attribute>sAMAccountName</attribute><attribute>cn</attribute><attribute>mail</attribute><attribute>member</attribute></groups></property> <property name="lowerCase">false</property> <property name="userKeyAttr">dn</property> <property name="userNameAttr">sAMAccountName</property> <property name="groupKeyAttr">dn</property> <property name="groupNameAttr">sAMAccountName</property> <property name="groupMappingAttr">member</property> <property name="groupsHoldMembers">true</property> <property name="schedule">0 0 0 ? * *</property> <property name="generalConfiguration">true</property> <property name="addPublic">false</property> <property name="staticGroups"><staticGroups/></property> <property name="requestDomain">leave</property> <property name="addRequestDomain"/> <property name="stripRequestDomain">false</property> <property name="responseDomain">leave</property> <property name="addResponseDomain"/> <property name="stripResponseDomain">false</property> <property name="retries">3</property> <property name="retryDelay">5s</property> <property name="pageSize">1000</property> <property name="debug">true</property> </properties> </application>
To install the application bundle using a script for cache population, add the configuration, as follows, to the <autoStart> section of the Aspire settings.xml.
<?xml version="1.0" encoding="UTF-8"?> <application config="com.searchtechnologies.aspire:app-ldap-group-cache"> <properties> <property name="useScript">true</property> <property name="enableLdapConnector">false</property> <property name="scriptFile">c:\ldap\populate.bat</property> <property name="jsonScript">false</property> <property name="lowerCase">false</property> <property name="userKeyAttr">dn</property> <property name="userNameAttr">sAMAccountName</property> <property name="groupKeyAttr">dn</property> <property name="groupNameAttr">sAMAccountName</property> <property name="groupMappingAttr">member</property> <property name="groupsHoldMembers">true</property> <property name="schedule">0 0 0 ? * *</property> <property name="generalConfiguration">true</property> <property name="addPublic">false</property> <property name="staticGroups"><staticGroups/></property> <property name="requestDomain">leave</property> <property name="addRequestDomain"/> <property name="stripRequestDomain">false</property> <property name="responseDomain">leave</property> <property name="addResponseDomain"/> <property name="stripResponseDomain">false</property> <property name="retries">3</property> <property name="retryDelay">5s</property> <property name="pageSize">1000</property> <property name="debug">true</property> </properties> </application>
Note: Any optional properties can be removed from the configuration to use the default value described on the table above.