Legacy Product

Fusion 5.10
    Fusion 5.10

    Active Directory for ACLs V2 Connector Configuration Reference

    The Active Directory Connector for ACLs V2 plugin:

    • Is a special connector that supports other data sources with collecting Access Control List (ACL) data

    • Indexes ACL information into a configured "sidecar" Solr collection, for use by other connectors

    • Connects to LDAP, AD, and Azure AD instances to add objects directly to a special collection for use in security trimming queries

    • Extends the Azure AD model from V1 to return a delta link at the end of a crawl, allowing incremental delta searches for groups and users

    Deprecation and removal notice

    This connector is deprecated as of June 19, 2023 and is removed or expected to be removed as of January 31, 2024. The Active Directory for ACLs V2 connector is not compatible with Fusion 5.6 and later, regardless of the removal date. Use the LDAP ACLs V2 connector instead.

    For more information about deprecations and removals, including possible alternatives, see Deprecations and Removals.

    Flow overview

    1. LDAP initial crawl for first paginated list of results. When complete, the initial crawl creates a checkpoint as the starting point for incremental crawls.

    2. LDAP incremental crawls uses checkpoints to produce specific, paginated access control elements. When complete, the incremental crawl creates another checkpoint to use as a starting point for further incremental crawls.

    3. Azure AD crawl fetches groups and users stored in Azure AD. Both User and Group retrieval is using the MS API delta link request to retrieve incremental changes. Unlike LDAP, AD request returns additions and deletions in a single search, so there is no need to split crawls onto two searches per object.

    Flow details

    The same type of request with an empty delta link parameter is used for the initial crawl. Objects are retrieved as delta going back to the very beginning of the Azure AD instance.

    For non-removed Azure groups, the Azure group processor sends an additional request to server to populate its memberof collection.

    If an error occurs (for example, a wrong Azure response), then an error is emitted. This causes future crawls to start from the first page of a crawl, using the initial delta link for the current crawl.

    Azure rejects delta links older than 30 days. This mean incremental crawls must be performed more often than oncer per month.

    Configuration

    • The aclCollectionName field value should match the associated value in the main datasource. For example, Sharepoint > Security Trimming > ACL Collection Name.

    • To improve performance, narrow search results for users and groups by setting the userBaseDn and groupBaseDn field values. These fields must select the subtree of the baseDn field.

    When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.

    Active Directory Connector

    description - string

    Optional description

    <= 125 characters

    diagnosticLogging - boolean

    Enable diagnostic logging; disabled by default

    Default: false

    coreProperties - Core Properties

    Common behavior and performance settings.

    fetchSettings - Fetch Settings

    System level settings for controlling fetch behavior and performance.

    numFetchThreads - number

    Maximum number of fetch threads; defaults to 20.This setting controls the number of threads that call the Connectors fetch method.Higher values can, but not always, help with overall fetch performance.

    >= 1

    <= 500

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 20

    Multiple of: 1

    fetchRequestCheckInterval - number

    The amount of time to wait before check if a request is done

    >= 1000

    <= 500000

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 15000

    Multiple of: 1

    fetchItemQueueSize - number

    Size of the fetch item queue.Larger values result in increased memory usage, but potentially higher performance.Default is 10k.

    >= 1

    <= 500000

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 10000

    Multiple of: 1

    fetchResponseScheduledTimeout - number

    The maximum amount of time for a response to be scheduled. The task will be canceled if this setting is exceeded.

    >= 1000

    <= 500000

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 300000

    Multiple of: 1

    fetchResponseCompletedTimeout - number

    The maximum amount of time for a response to be completed. If exceeded, the task will be retried if the job is still running

    >= 1

    <= 600000

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 300000

    Multiple of: 1

    indexMetadata - boolean

    When enabled the metadata of skipped items will be indexed to the content collection

    Default: false

    id - stringrequired

    A unique identifier for this Configuration.

    >= 1 characters

    Match pattern: ^[a-zA-Z0-9_-]+$

    properties - Properties

    Plugin specific properties.

    security - Security trimming configuration

    collectionId - string

    Id of the collection to be used for storing ACL records. If not specified, ACL collection name will be generated automatically using pattern '<datasource_id>_access_control_hierarchy'.

    authProperties - AD Server Authentication Properties

    The credentials to access the AD server

    userPrincipal - string

    A User Principal with permissions to access the LDAP server. A User Principal can takes the format "user@domain", "domain\user" or a distinguished name to the user such as "CN=user,DC=domain,DC=com". This property is not required for anonymous access

    password - string

    Password of the User Principal. This property is not required for anonymous access

    serverProperties - AD Server Properties

    AD server Configurations

    ldapHost - string

    The LDAP host of the LDAP/AD server where user information is stored.

    ldapPort - number

    The LDAP/AD server port to use. It will be used for all communication to server with an exception: When You specify one of standard global catalog ports (3268 or 3269) then requests like netbios domain searchwill use default ldap/ldaps port.

    >= -2147483648

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 389

    Multiple of: 1

    searchProperties - AD Search Properties

    Search Configurations

    baseDn - string

    The base Distinguished Name (DN) in LDAP directory. It will be used for query for deleted objects. Also, it will be used in normal search queries in case the specific user/group dn is not set

    >= 1 characters

    apiQueryRowLimit - number

    The maximum number of rows returned on a single page from the server. If the server have a lower upper bound, the maximum available amount will be requested.

    >= 1

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 5000

    Multiple of: 1

    followReferrals - boolean

    Whether or not to follow LDAP referrals when fetching ldap groups.

    Default: false

    userSearchProp - User Search Properties

    User Search Configurations

    crawlForUsers - boolean

    Set to true if you want to crawl Active directory servers for users data.

    Default: true

    userBaseDn - string

    Optional - Distinguished name (DN) in LDAP directory where user objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for users.

    userFilter - string

    LDAP filter used when querying to listing all user objects.

    Default: (&(objectclass=user)(sAMAccountName=*))

    groupSearchProp - Group Search Properties

    Group Search Configurations

    crawlForGroups - boolean

    Set to true if you want to crawl Active directory servers for groups data.

    Default: true

    groupBaseDn - string

    Optional - Distinguished name (DN) in LDAP directory where group objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for groups.

    groupFilter - string

    LDAP filter used when listing all group objects.

    Default: (&(objectclass=group))

    azureProperties - Azure AD Properties

    Properties that should be set when want to crawl Azure AD instances for additional group definitions

    crawlForGroups - boolean

    Set to true if you want to crawl Azure AD instances for groups data.

    Default: false

    crawlForUsers - boolean

    Set to true if you want to crawl Azure AD instances for user data.

    Default: false

    authProperties - Authentication Properties

    The credentials to access the Azure instance

    tenantId - string

    If crawling Azure AD instances, supply Azure Tenant ID. This is required when listing Azure Groups from Microsoft Graph API.

    clientId - string

    If crawling Azure AD instances, supply the Azure Application's Client ID. This is required when listing Azure Groups from Microsoft Graph API.

    clientSecret - string

    If crawling Azure AD instances, supply the Azure Application's Client secret. This is required when listing Azure Groups from Microsoft Graph API.

    connectionProperties - Connections Properties

    Connections Configurations

    connectionPoolInitial - number

    Number of initial connections to open in the ldap connection pool.

    >= -2147483648

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 1

    Multiple of: 1

    connectionPoolMax - number

    Maximum number of ldap connections that can be opened in the ldap connection pool.

    >= -2147483648

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 10

    Multiple of: 1

    timeoutProperties - Timeout Properties

    Timeout Configurations

    readTimeout - number

    The read timeout in milliseconds for an LDAP operation.

    >= -2147483648

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 5000

    Multiple of: 1

    connectTimeout - number

    If the LDAP provider cannot establish a connection within this timeout period in milliseconds, it aborts the connection attempt.

    >= -2147483648

    <= 2147483647

    exclusiveMinimum: false

    exclusiveMaximum: false

    Default: 3000

    Multiple of: 1

    sslProperties - SSL Properties

    SSL Configurations

    useLdaps - boolean

    Whether or not to use LDAPS secure protocol.

    Default: false

    base64SSLCertificate - string

    For use with LDAP with SSL only, this is the Base 64 encoded SSL server certificate that will be used to securely communicate with the LDAP server.

    documentsProperties - Document Save Options

    Document Save Options

    adNetbiosDomain - string

    Use this Active Airectory netbios domain. If not specified, the 'CN=Partitions,CN=Configuration,{dn}' will be used to dynamically look up the netbios domain.

    userIdsAreCaseSensitive - boolean

    If set to 'true' - created entries will not be capitalized

    Default: false