• Created by user-40ebd, last modified by user-1b188 on Jun 15, 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

LDAP Cache Service Tutorial

Visit the Aspire UI and log in if necessary. You will be presented with the home screen.

 

Content source management page

 

Click Settings to load the Services console.

 

Settings menu

 

You should now see the following screen.

 

Services home

 

Choose Add Service and select LDAP Group Cache.

 

Service selection

 

The service will now load the configuration screen. This may take a moment if the connection to the internet is slow. Once the service has been downloaded, you will see the following:

 

Service configuration

 

Enter a service name.

 

Service configuration

 

Click the Service tab at the top of the screen or use the “arrow” at the right of the screen to move to the service configuration screen. You will now see the service configuration.

Fill in the Active Directory connection properties. The Search base is the start point in the directory tree from where searches will be performed, and Scope can be set to define how far down the tree the search will descend – either just the search base, the base and the next level, or the default of the entire Subtree.

User query should be an ldap formed query that will return all of the users that you wish to cache. Typically this will be something like (objectClass=user) although in our case this brings back computer accounts and we are not interested in these, so we extend the query to exclude these using (&(objectClass=user)(!(objectClass=computer))) instead. Group query is the query to return all groups you wish to cache, typically (objectClass=group).

 

Service configuration

Scroll the screen to see the Mapping attributes section. In the Mapping attributes fill in the attributes that will allow the user to group mapping to be performed. You must specify the attribute (or the pseudo attribute dn) that uniquely identifies the users and groups (the User key and Group key entries) and the attribute that holds the value to be used as the user name and group name (the User name and Group name entries). You also need to specify the Group mapping attribute and whether the Groups hold members.

 

Service configuration

 

Finally choose the frequency with which the cache should be refreshed by setting the schedule. Press “Save” at the top of the screen to save the configuration and load the service. Again this may take a moment while the required components are downloaded. Once the service is installed, you will be taken back to the services home page.

 

Content source management page

How the configuration is used

With the above configuration, when the cache refreshes, it will download all the users using the query (objectClass=user) and store each returned user in a map against its dn.

Then it will do the same for groups using the query (userClass=group).

Once all the objects are downloaded, it will consider each user in turn (because Groups hold members is not set, which means that user object hold the groups to which they belong.

For each user, it will retrieve all memberOf attributes (as configured by the Group mapping attribute). Each memberOf attribute will hold the identifier of a group to which this belongs. In the case of a typical Active Directory configuration, this identifier is the dn of the group object. This identifier will be looked up in the map (which holds the group objects against their unique identifier – a dn) and will find a group object.

Once all the memberOf attributes have been considered, we will have a list of all the group objects. We can then establish the names of the users and groups from the objects we have by finding the value of the sAMAccountName attribute (as configured in the User Name and Group Name entries).

Once all the above is complete, we will have a user name and a list of group names and this information will be inserted in to the cache.

 

  • No labels