Active Directory for ACLs V2 Connector Configuration Reference
The Active Directory Connector for ACLs V2 plugin:
-
Is a special connector that supports other data sources with collecting Access Control List (ACL) data
-
Indexes ACL information into a configured "sidecar" Solr collection, for use by other connectors
-
Connects to LDAP, AD, and Azure AD instances to add objects directly to a special collection for use in security trimming queries
-
Extends the Azure AD model from V1 to return a delta link at the end of a crawl, allowing incremental delta searches for groups and users
|
|
Deprecation and removal notice
This connector is deprecated as of June 19, 2023 and is removed or expected to be removed as of January 31, 2024. The Active Directory for ACLs V2 connector is not compatible with Fusion 5.6 and later, regardless of the removal date. Use the LDAP ACLs V2 connector instead.
|
-
LDAP initial crawl for first paginated list of results. When complete, the initial crawl creates a checkpoint as the starting point for incremental crawls.
-
LDAP incremental crawls uses checkpoints to produce specific, paginated access control elements. When complete, the incremental crawl creates another checkpoint to use as a starting point for further incremental crawls.
-
Azure AD crawl fetches groups and users stored in Azure AD. Both User and Group retrieval is using the MS API delta link request to retrieve incremental changes. Unlike LDAP, AD request returns additions and deletions in a single search, so there is no need to split crawls onto two searches per object.
The same type of request with an empty delta link parameter is used for the initial crawl. Objects are retrieved as delta going back to the very beginning of the Azure AD instance.
For non-removed Azure groups, the Azure group processor sends an additional request to server to populate its memberof collection.
If an error occurs (for example, a wrong Azure response), then an error is emitted. This causes future crawls to start from the first page of a crawl, using the initial delta link for the current crawl.
|
|
Azure rejects delta links older than 30 days. This mean incremental crawls must be performed more often than oncer per month.
|
-
The aclCollectionName field value should match the associated value in the main datasource. For example, Sharepoint > Security Trimming > ACL Collection Name.
-
To improve performance, narrow search results for users and groups by setting the userBaseDn and groupBaseDn field values. These fields must select the subtree of the baseDn field.
|
|
When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
|
Active Directory Connector
coreProperties - Core Properties - not needed for ACL connector
Common behavior and performance settings.
fetchSettings - Fetch Settings
System level settings for controlling fetch behavior and performance.
fetchItemQueueSize - number
Size of the fetch item queue.Larger values result in increased memory usage, but potentially higher performance.Default is 10k.
>= 1
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 10000
Multiple of: 1
fetchRequestCheckInterval - number
The amount of time to wait before check if a request is done
>= 1000
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 15000
Multiple of: 1
fetchResponseCompletedTimeout - number
The maximum amount of time for a response to be completed. If exceeded, the task will be retried if the job is still running
>= 1
<= 600000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 300000
Multiple of: 1
fetchResponseScheduledTimeout - number
The maximum amount of time for a response to be scheduled. The task will be canceled if this setting is exceeded.
>= 1000
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 300000
Multiple of: 1
indexMetadata - boolean
When enabled the metadata of skipped items will be indexed to the content collection
Default: false
numFetchThreads - number
Maximum number of fetch threads; defaults to 20.This setting controls the number of threads that call the Connectors fetch method.Higher values can, but not always, help with overall fetch performance.
>= 1
<= 500
exclusiveMinimum: false
exclusiveMaximum: false
Default: 20
Multiple of: 1
description - string
Optional description
<= 125 characters
diagnosticLogging - boolean
Enable diagnostic logging; disabled by default
Default: false
id - stringrequired
A unique identifier for this Configuration.
>= 1 characters
Match pattern: ^[a-zA-Z0-9_-]+$
properties - Properties
Plugin specific properties.
authProperties - Authentication Properties
The credentials to access the AD server
password - string
Password of the User Principal. This property is not required for anonymous access
userPrincipal - string
A User Principal with permissions to access the LDAP server. A User Principal can takes the format "user@domain", "domain\user" or a distinguished name to the user such as "CN=user,DC=domain,DC=com". This property is not required for anonymous access
connectionProperties - Connections Properties
Connections Configurations
connectionPoolInitial - number
Number of initial connections to open in the ldap connection pool.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 1
Multiple of: 1
connectionPoolMax - number
Maximum number of ldap connections that can be opened in the ldap connection pool.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 10
Multiple of: 1
documentsProperties - Document Save Options
Document Save Options
adNetbiosDomain - string
Use this Active Directory netbios domain. If not specified, the 'CN=Partitions,CN=Configuration,{dn}' will be used to dynamically look up the netbios domain.
userIdsAreCaseSensitive - boolean
If set to 'true' - created entries will not be capitalized
Default: false
searchProperties - Search Properties
Search Configurations
apiQueryRowLimit - number
Default size for single page requested from server
>= 1
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5000
Multiple of: 1
baseDn - string
The base Distinguished Name (DN) in LDAP directory.
>= 1 characters
followReferrals - boolean
Whether or not to follow LDAP referrals when fetching ldap groups.
Default: false
groupSearchProp - Group Search Properties
Group Search Configurations
groupBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where group objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for groups.
groupFilter - string
LDAP filter used when listing all group objects.
Default: (&(objectclass=group))
useGlobalCatalog - boolean
In the case of a multi-domain active directory forest, user and group search queries should typically done through the global catalog so that users from child domains are found in search results. If not selected, only the root domain will be queried for users and groups.
Default: true
userSearchProp - User Search Properties
User Search Configurations
userBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where user objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for users.
userFilter - string
LDAP filter used when querying to listing all user objects.
Default: (&(objectclass=user)(sAMAccountName=*))
securityTrimmingProperties - Security trimming configuration
aclCollectionName - string
Name of Solr collection to be used for storing fetched ACL records.
>= 1 characters
serverProperties - AD Server Properties
AD server Configurations
globalCatalogPort - number
If global catalog querying is enabled, this is the port that is used to connect to the Active Directory global catalog.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 3268
Multiple of: 1
ldapHost - string
The LDAP host of the LDAP/AD server where user information is stored.
ldapPort - number
The LDAP server port to use (do not set this to the global catalog port!).
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 389
Multiple of: 1
sslProperties - SSL Properties
SSL Configurations
base64SSLCertificate - string
For use with LDAP with SSL only, this is the Base 64 encoded SSL server certificate that will be used to securely communicate with the LDAP server.
useLdaps - boolean
Whether or not to use LDAPS secure protocol.
Default: false
timeoutProperties - Timeout Properties
Timeout Configurations
connectTimeout - number
If the LDAP provider cannot establish a connection within this timeout period in milliseconds, it aborts the connection attempt.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 3000
Multiple of: 1
readTimeout - number
The read timeout in milliseconds for an LDAP operation.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5000
Multiple of: 1