Group Expansion Administration FAQ

Configuring with the GSA

GSA must be configured to use LDAP to lookup user's group information during authentication. See the GSA wiki for more information on this. Also, per-url ACLS are required on the GSA (so, document ACLs must be indexed as well). Notice that no group expansion occurs at index time, ACLs are indexed just as they come in the files.

The LDAP server configured on the GSA, will be the Aspire LDAP proxy instead of the real customer's LDAP server.

When an user authenticates to the GSA front-end, GSA will send two requests to the configured LDAP server (Aspire proxy in this case).

  • A request to authenticate the user: In this case, Aspire LDAP proxy will redirect the request to the customer's real LDAP server and pass the response back to the GSA.
  • A request for user groups (if the user was successfully authenticated). This is an attempt to get all the groups to which the user is member of. In this case, Aspire LDAP proxy will intercept this request, pass it to an Aspire pipeline, and add additional group information from the configured repositories (this pipeline can be extended as required to include other repositories). Once the information is gathered, is sent back to the GSA. From this point, GSA will handle authorization with the extended group information, by comparing the indexed document ACLs with the user/groups information retrieved from LDAP proxy.

Once GSA gets the group information, it stores it in the cache so that further queries from the same user will not require any additional group expansion.

When to use

  • The customer requires nested groups from LDAP.
  • There are documents from repositories which have their own group definition (for example SharePoint or Documentum).
  • The GSA is not able to get group information from Active Directory (due some limitation on the GSA, it fails to retrieve information from Active Directory for some customers installations. This issue was addressed by the Aspire LDAP proxy, and solved by using Active Directory API to get the group information, instead of the Java API).

Configuring the GSA

  • Login to the GSA and go to Administration -> LDAP Setup and fill in the required information:
    • Host: The host where Aspire is installed
    • Port number: Port where the Group Expander was configured. By default is port 10389
    • Distinguished name (DN): The dn name of the user used to authenticate LDAP requests.
    • Password: The password for the dn user
  • Go to advanced settings page even if detection fails.
  • Configure the parameters. Important - all the values, except for the “User Search Filter” should be configured with the exact value listed below
    • User Search Filter
      • Customer’s LDAP server base DN. It needs to match with the configured search base on Aspire i.e. dc=customer,dc=com
    • User Search Filter
      • (&(objectclass=person)(uid=%s))
    • Group Search Filter
      • (|(uniquemember=%dn)(uid=%s))
    • Returned group format
      • CN
    • SSL Support
      • None
  • Test the configuration in the “LDAP Search User Authentication Test” section. It should return the groups.

GSA Proxy Test.png

Groups Resolution Configuration
  • Go to Serving -> Universal Login Auth Mechanisms -> LDAP and fill in the required values:
    • Credential Group: Default
    • Mechanisms Name: ldap-proxy
  • Check Enable group lookup box
  • Click the Save button

Troubleshooting

Cannot find a partition

If you see a message like Cannot find a partition for 0.9.2342.19200300.100.1.25=somedomain,0.9.2342.19200300.100.1.25=com when trying the LDAP authentication test on the GSA (or during serve time), be sure that the search base you specified in the Group Expansion service is the same that is on the GSA LDAP Setup Page.

No requests to the proxy

If you don't appear to be getting requests to the proxy, check that the filters configured in the GSA side, match the ones listed above and not custom filters from the customer.

No groups returned

It can take a while for the group caches to be built. It's possible that this has not completed and if it hasn't (and this is the first time you've run Aspire) you'll not get any groups. Check the LDAP group cache and connector group cache logs for status information or errors

I don't see documents in my search results

If you can see groups are returned in the “Ldap Seach User Authentication Test” page (Administration -> LDAP Setup or in the GSA Logs), but don't see the document in the search results:

  • Make sure documents have ACLs:
    • Go to “Index > Diagnostics > Index Diagnostics”
    • Look for a secured document indexed by the connector you configured
    • Check ACLs were added to the document as shown here:

GSA Document diag.png

If the ACLs are present, check the are in the domain and the group’s or usernames match with the document’s ACLsIf the document or the ACLs are not present, then go to “Content Sources > Feeds” and check if there were errors while processing the Feed or if the Feed had the ACLs attached to each document.

  • No labels