Active Directory for ACLs V2 Connector Configuration Reference
The Active Directory Connector for ACLs V2 plugin:
-
Is a special connector that supports other data sources with collecting Access Control List (ACL) data
-
Indexes ACL information into a configured "sidecar" Solr collection, for use by other connectors
-
Connects to LDAP, AD, and Azure AD instances to add objects directly to a special collection for use in security trimming queries
-
Extends the Azure AD model from V1 to return a delta link at the end of a crawl, allowing incremental delta searches for groups and users
|
Deprecation and removal notice
This connector is deprecated as of June 19, 2023 and is removed or expected to be removed as of January 31, 2024. The Active Directory for ACLs V2 connector is not compatible with Fusion 5.6 and later, regardless of the removal date. Use the LDAP ACLs V2 connector instead.
|
-
LDAP initial crawl for first paginated list of results. When complete, the initial crawl creates a checkpoint as the starting point for incremental crawls.
-
LDAP incremental crawls uses checkpoints to produce specific, paginated access control elements. When complete, the incremental crawl creates another checkpoint to use as a starting point for further incremental crawls.
-
Azure AD crawl fetches groups and users stored in Azure AD. Both User and Group retrieval is using the MS API delta link request to retrieve incremental changes. Unlike LDAP, AD request returns additions and deletions in a single search, so there is no need to split crawls onto two searches per object.
The same type of request with an empty delta link parameter is used for the initial crawl. Objects are retrieved as delta going back to the very beginning of the Azure AD instance.
For non-removed Azure groups, the Azure group processor sends an additional request to server to populate its memberof
collection.
If an error occurs (for example, a wrong Azure response), then an error is emitted. This causes future crawls to start from the first page of a crawl, using the initial delta link for the current crawl.
|
Azure rejects delta links older than 30 days. This mean incremental crawls must be performed more often than oncer per month.
|
-
The aclCollectionName
field value should match the associated value in the main datasource. For example, Sharepoint > Security Trimming > ACL Collection Name.
-
To improve performance, narrow search results for users and groups by setting the userBaseDn
and groupBaseDn
field values. These fields must select the subtree of the baseDn
field.
|
When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
|
Active Directory Connector
description - string
Optional description
<= 125 characters
diagnosticLogging - boolean
Enable diagnostic logging; disabled by default
Default: false
coreProperties - Core Properties
Common behavior and performance settings.
fetchSettings - Fetch Settings
System level settings for controlling fetch behavior and performance.
numFetchThreads - number
Maximum number of fetch threads; defaults to 20.This setting controls the number of threads that call the Connectors fetch method.Higher values can, but not always, help with overall fetch performance.
>= 1
<= 500
exclusiveMinimum: false
exclusiveMaximum: false
Default: 20
Multiple of: 1
fetchRequestCheckInterval - number
The amount of time to wait before check if a request is done
>= 1000
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 15000
Multiple of: 1
fetchItemQueueSize - number
Size of the fetch item queue.Larger values result in increased memory usage, but potentially higher performance.Default is 10k.
>= 1
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 10000
Multiple of: 1
fetchResponseScheduledTimeout - number
The maximum amount of time for a response to be scheduled. The task will be canceled if this setting is exceeded.
>= 1000
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 300000
Multiple of: 1
fetchResponseCompletedTimeout - number
The maximum amount of time for a response to be completed. If exceeded, the task will be retried if the job is still running
>= 1
<= 600000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 300000
Multiple of: 1
indexMetadata - boolean
When enabled the metadata of skipped items will be indexed to the content collection
Default: false
id - stringrequired
A unique identifier for this Configuration.
>= 1 characters
Match pattern: ^[a-zA-Z0-9_-]+$
properties - Properties
Plugin specific properties.
security - Security trimming configuration
collectionId - string
Id of the collection to be used for storing ACL records. If not specified, ACL collection name will be generated automatically using pattern '<datasource_id>_access_control_hierarchy'.
authProperties - AD Server Authentication Properties
The credentials to access the AD server
userPrincipal - string
A User Principal with permissions to access the LDAP server. A User Principal can takes the format "user@domain", "domain\user" or a distinguished name to the user such as "CN=user,DC=domain,DC=com". This property is not required for anonymous access
password - string
Password of the User Principal. This property is not required for anonymous access
serverProperties - AD Server Properties
AD server Configurations
ldapHost - string
The LDAP host of the LDAP/AD server where user information is stored.
ldapPort - number
The LDAP/AD server port to use. It will be used for all communication to server with an exception: When You specify one of standard global catalog ports (3268 or 3269) then requests like netbios domain searchwill use default ldap/ldaps port.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 389
Multiple of: 1
searchProperties - AD Search Properties
Search Configurations
baseDn - string
The base Distinguished Name (DN) in LDAP directory. It will be used for query for deleted objects. Also, it will be used in normal search queries in case the specific user/group dn is not set
>= 1 characters
apiQueryRowLimit - number
The maximum number of rows returned on a single page from the server. If the server have a lower upper bound, the maximum available amount will be requested.
>= 1
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5000
Multiple of: 1
followReferrals - boolean
Whether or not to follow LDAP referrals when fetching ldap groups.
Default: false
userSearchProp - User Search Properties
User Search Configurations
crawlForUsers - boolean
Set to true if you want to crawl Active directory servers for users data.
Default: true
userBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where user objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for users.
userFilter - string
LDAP filter used when querying to listing all user objects.
Default: (&(objectclass=user)(sAMAccountName=*))
groupSearchProp - Group Search Properties
Group Search Configurations
crawlForGroups - boolean
Set to true if you want to crawl Active directory servers for groups data.
Default: true
groupBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where group objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for groups.
groupFilter - string
LDAP filter used when listing all group objects.
Default: (&(objectclass=group))
azureProperties - Azure AD Properties
Properties that should be set when want to crawl Azure AD instances for additional group definitions
crawlForGroups - boolean
Set to true if you want to crawl Azure AD instances for groups data.
Default: false
crawlForUsers - boolean
Set to true if you want to crawl Azure AD instances for user data.
Default: false
authProperties - Authentication Properties
The credentials to access the Azure instance
tenantId - string
If crawling Azure AD instances, supply Azure Tenant ID. This is required when listing Azure Groups from Microsoft Graph API.
clientId - string
If crawling Azure AD instances, supply the Azure Application's Client ID. This is required when listing Azure Groups from Microsoft Graph API.
clientSecret - string
If crawling Azure AD instances, supply the Azure Application's Client secret. This is required when listing Azure Groups from Microsoft Graph API.
connectionProperties - Connections Properties
Connections Configurations
connectionPoolInitial - number
Number of initial connections to open in the ldap connection pool.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 1
Multiple of: 1
connectionPoolMax - number
Maximum number of ldap connections that can be opened in the ldap connection pool.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 10
Multiple of: 1
timeoutProperties - Timeout Properties
Timeout Configurations
readTimeout - number
The read timeout in milliseconds for an LDAP operation.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5000
Multiple of: 1
connectTimeout - number
If the LDAP provider cannot establish a connection within this timeout period in milliseconds, it aborts the connection attempt.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 3000
Multiple of: 1
sslProperties - SSL Properties
SSL Configurations
useLdaps - boolean
Whether or not to use LDAPS secure protocol.
Default: false
base64SSLCertificate - string
For use with LDAP with SSL only, this is the Base 64 encoded SSL server certificate that will be used to securely communicate with the LDAP server.
documentsProperties - Document Save Options
Document Save Options
adNetbiosDomain - string
Use this Active Airectory netbios domain. If not specified, the 'CN=Partitions,CN=Configuration,{dn}' will be used to dynamically look up the netbios domain.
userIdsAreCaseSensitive - boolean
If set to 'true' - created entries will not be capitalized
Default: false