The LDAP Group Cache app-bundle is loaded as the LDAP Cache Service and contains the functionality to download users and groups and their attributes from LDAP.
The LDAP Group Cache bundle uses the following components:
- LDAP Connection
- To connect to the LDAP server and execute any queries
- LDAP Cache
- To populate the caches, via a connection to LDAP using the LDAP Connection component and to serve requests from the Group Expansion Client
- Scheduler
- To periodically send requests to the LDAP Cache component to update the caches
| LDAP Group Expansion | |
|---|---|
| Factory Name | Ldap Group Cache |
| Maven Coordinates | com.searchtechnologies.aspire:app-ldap-group-cache |
| Versions | 4.0 |
| Type Flags | None |
| Inputs | N/A |
| Outputs | N/A |
Configuration
This section lists all configuration parameters available to install the LDAP services Application Bundle.
General Application Configuration
0 0 0 ? * *| Property | Type | Default | Description |
|---|---|---|---|
| gem | application | The path to a Group Expansion Manager application. | |
| useScript | boolean | false | If false, the bundle will expect to connect to an LDAP server to populate the cache. If true, cache population will run a script |
| enableLdapConnector | boolean | true | If true, the bundle will load an LDAP connector to provide LDAP connectivity |
| scriptFile | String | [Required (script)] | The name of the script to run to gather the information for cache population |
| jsonScript | boolean | false | If true, treat the script output as JSON. Otherwise treat it as XML |
| server | string | The LDAP server host address. Example: ldap//10.10.44.82:389 | |
| authentication | string | anonymous | Authentication type used for any LDAP request. Options are 'none', 'simple' and 'DIGEST-MD5'. |
| user | string | N/A | Username used to authenticate against the given LDAP server. If 'none' authentication type was selected, you can ignore this. |
| password | string | N/A | Password used to authenticate against the given LDAP server. If 'none' authentication type was selected, you can ignore this. |
| readTimeout | int | 600000 (=60s) | Read timeout in ms. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
| connectTimeout | int | 600000 (=60s) | Connection timeout in ms. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
| searchBase | string | [Required (ldap)] | The base directory in the LDAP for searches. Normally this is the domain of the LDAP server. |
| scope | int | 2 | The scope of the LDAP for searches. 0 = search base only, 1 = search base and immediate children, 2 = subdirectory |
| userQuery | string | [Required (ldap)] | The LDAP query used to find all users to be cached |
| userAttributes | XML | The LDAP attributes to be retrieved and stored in the cache for users | |
| groupQuery | string | [Required (ldap)] | The LDAP query used to find all users to be cached |
| groupAttributes | XML | <all> | The LDAP attributes to be retrieved and stored in the cache for groups |
| userKeyAttr | string | dn (a pseudo attribute representing the object dn) | The attribute in LDAP that is the unique key for the user |
| userNameAttr | string | sAMAccountName | The attribute in LDAP that holds the account name |
| groupKeyAttr | string | dn (a pseudo attribute representing the object dn) | The attribute in LDAP that is the unique key for the group |
| groupNameAttr | string | sAMAccountName | The attribute in LDAP that holds the account name |
| groupMappingAttr | string | memberOf | The attribute in LDAP that holds the groups for a user, or users for a group |
| groupsHoldMembers | boolean | false | If true, group objects reference their members (typically via a uniqueMember attribute). If false, user objects reference their groups (typically via a memberOf attribute). |
| scheduler | schedule | 0 0 0 ? * * | The CRON expression for the scheduled cache reloads. |
| retryDelay | long | 0 | The delay following an error before a retry is attempted. The period may be entered in milliseconds, or with the suffix ms, s, m, h, d to indicate the units |
| retries | long | 1 | The number of retries attempted, should an error occur, for an LDAP request before an Exception is thrown |
| pageSize | int | 1000 | The page size of the search query (max 1000). If there are less results for a search than the page size, a single page will be returned. If there are more, the results will be returned in pages. This will be transparent to the client |
| stripRequestDomain | boolean | false | If true, any domain on the user given in the group expansion request will be removed before the request is made to the server |
| addRequestDomain | String | If given, the given domain will be added to the user given in the group expansion request (overwriting any existing domain) before the request is made to the server | |
| stripResponseDomain | boolean | false | If true, any domain on the groups returned from the group expansion server will be removed before the group expansion request is returned |
| addResponseDomain | String | If given, the given domain will be added to the groups returned from the group expansion server will be removed before the group expansion request is returned | |
| staticGroups | XML | Any groups added here will be added (exactly as specified here) to the group expansion request before it is returned | |
| addPublic | boolean | false | If true, the generic public:all group will be added to the group expansion request before it is returned |
| debug | Boolean | false | Controls whether debugging is enabled for the application. Debug messages will be written to the log files. |
Configuration Example
Using LDAP
To install the application bundle, connecting to an LDAP server to for cache population, add the configuration, as follows, to the <autoStart> section of the Aspire settings.xml.
<?xml version="1.0" encoding="UTF-8"?>
<application config="com.searchtechnologies.aspire:app-ldap-group-cache">
<properties>
<property name="useScript">false</property>
<property name="enableLdapConnector">true</property>
<property name="server">ldap://10.10.20.7:389</property>
<property name="authentication">simple</property>
<property name="user">search\sdenny</property>
<property name="password">encrypted:0E206C5AED2A061A0B929A128B512652</property>
<property name="connectTimeout">15s</property>
<property name="readTimeout">15s</property>
<property name="searchBase">dc=search,dc=local</property>
<property name="scope">2</property>
<property name="userQuery">(&(objectClass=user)(objectClass=organizationalPerson)(!(objectClass=computer)))</property>
<property name="userAttributes"><users><attribute>cn</attribute><attribute>sn</attribute><attribute>c</attribute><attribute>l</attribute><attribute>title</attribute><attribute>description</attribute><attribute>telephoneNumber</attribute><attribute>givenName</attribute><attribute>memberOf</attribute><attribute>sAMAccountName</attribute><attribute>mail</attribute></users></property>
<property name="groupQuery">(objectClass=group)</property>
<property name="groupAttributes"><groups><attribute>sAMAccountName</attribute><attribute>cn</attribute><attribute>mail</attribute><attribute>member</attribute></groups></property>
<property name="lowerCase">false</property>
<property name="userKeyAttr">dn</property>
<property name="userNameAttr">sAMAccountName</property>
<property name="groupKeyAttr">dn</property>
<property name="groupNameAttr">sAMAccountName</property>
<property name="groupMappingAttr">member</property>
<property name="groupsHoldMembers">true</property>
<property name="schedule">0 0 0 ? * *</property>
<property name="generalConfiguration">true</property>
<property name="addPublic">false</property>
<property name="staticGroups"><staticGroups/></property>
<property name="requestDomain">leave</property>
<property name="addRequestDomain"/>
<property name="stripRequestDomain">false</property>
<property name="responseDomain">leave</property>
<property name="addResponseDomain"/>
<property name="stripResponseDomain">false</property>
<property name="retries">3</property>
<property name="retryDelay">5s</property>
<property name="pageSize">1000</property>
<property name="debug">true</property>
</properties>
</application>
Using Script
To install the application bundle using a script for cache population, add the configuration, as follows, to the <autoStart> section of the Aspire settings.xml.
<?xml version="1.0" encoding="UTF-8"?>
<application config="com.searchtechnologies.aspire:app-ldap-group-cache">
<properties>
<property name="useScript">true</property>
<property name="enableLdapConnector">false</property>
<property name="scriptFile">c:\ldap\populate.bat</property>
<property name="jsonScript">false</property>
<property name="lowerCase">false</property>
<property name="userKeyAttr">dn</property>
<property name="userNameAttr">sAMAccountName</property>
<property name="groupKeyAttr">dn</property>
<property name="groupNameAttr">sAMAccountName</property>
<property name="groupMappingAttr">member</property>
<property name="groupsHoldMembers">true</property>
<property name="schedule">0 0 0 ? * *</property>
<property name="generalConfiguration">true</property>
<property name="addPublic">false</property>
<property name="staticGroups"><staticGroups/></property>
<property name="requestDomain">leave</property>
<property name="addRequestDomain"/>
<property name="stripRequestDomain">false</property>
<property name="responseDomain">leave</property>
<property name="addResponseDomain"/>
<property name="stripResponseDomain">false</property>
<property name="retries">3</property>
<property name="retryDelay">5s</property>
<property name="pageSize">1000</property>
<property name="debug">true</property>
</properties>
</application>
Note: Any optional properties can be removed from the configuration to use the default value described on the table above.
Overview
Content Tools