Configuration
Element | Type | Default | Description |
---|---|---|---|
port | int | 10389 | Port on which the this component will listen for LDAP requests. |
ldapConnectorManager | string | Name of the LDAP Connection component that will handle interaction with a "real" LDAP server. Required. | |
searchBase | string | dc=search,dc=local | The Search base for this directory (and the name of the Aspire custom partition). This value must be the same as the search base used by the requesting client, otherwise search requests won't be routed to the Aspire custom partition. |
groupFilterPattern | string | \(2.5.4.50=([^\)]*)\)\(0.9.2342.19200300.100.1.1=([^\)]*)\)\) | Regular expression used to identify group expansion requests. Must use standard attributes OIDs (not attribute names). |
userFilter | string | (&(objectClass=user)(objectClass=person)(sAMAccountName=%s)) | LDAP query to perform when searching for a user (when proxying an incoming search request). |
cacheTimeout | string | 1800000 =30 mins | The group expansion cache retention time in ms. Any request for groups for a given user is cached for this period of time. Subsequent requests for the same user during this period will be servered from the cache, not sent to the LDAP server. Note that only group expansion requests are cached. All other requests will be sent to the LDAP server. |
processing/route | string | One or more routes that group expansion requests will be sent to. | |
expanders/route | string | The routes that the group expansion router will attach when publishing its jobs. See below. |
Branch Configuration
For group expansion requests to be processed, you must configure a branch for the onGroupExpansion event.
<branches> <branch event="onGroupExpansion" pipelineManager="pipelineManager" pipeline="dummyPipeline" /> </branches>
Group Expansion Processing
Group Expansion Request
When a group expansion request is received, this will be formed in to a group expansion request message and published to the groupExpansion event. The expanders are added to the request message and the resulting message looks like:
<doc type="groupExpansion"> <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username> <groupExpansion> <expanders> <expander>/pipeline1</expander> <expander>/pipeline2</expander> </expanders> </groupExpansion> </doc>
The job will be routed using the information given in the <processing/route> tags (so it's possible that the job is published to a dummy pipeline with no processing stages). It's expected that there is (optionally) a preprocessing pipeline, a pipeline containing a group expansion router and (optionally) a post processing pipeline. The <expanders/route> configuration populates the <groupExpansion> part of the message.
Group Expansion Response
Any group expansion component this request is sent to should add groups to the AspireObject of the Job in the following format:
<doc type="groupExpansion"> <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username> <groupExpansion> <expanders> <expander>/pipeline1</expander> <expander>/pipeline2</expander> </expanders> </groupExpansion> <groups> <group source="ldap">ldapGroup1</group> <group source="ldap">ldapGroup2</group> <group source="ldap">ldapGroup3</group> </groups> </doc>
The <group> tag holds the name of the group to be returned in the LDAP response and the source attribute should hold an indicator of the component that added the group to the response. In a component derived from the Simple Group Expander component, this is achieved using the group expansion result.
Once the job is complete on the pipeline, the proxy will gather the groups from the returned job and return them to the requester.
Example Configuration
<component name="LdapProxy" subType="default" factoryName="aspire-apache-ds"> <searchBase>dc=search,dc=local</searchBase> <ldapConnectorManager>Main/LDAPGroupExpander</ldapConnectorManager> <processing> <route>/GroupExpansion/Main</route> </processing> <expanders> <route>/SharePointConnector</route> <route>/DocumentumConnector</route> </expanders> <debug>true</debug> <branches> <branch event="onGroupExpansion" pipeline="dummy-for-routing" pipelineManager="Main"/> </branches> </component>