Aspire LDAP Proxy (Aspire 2)
For Information on Aspire 3.1 Click Here
The Aspire Apache Directory Services is a custom implementation of ApacheDS, integrated to Aspire as a component, providing the ability to intercept LDAP requests and proxy these to an LDAP server (via an LDAP Connection) or expand requests for group membership via an Aspire pipeline.
This component provides a custom partition (see searchBase configuration) with custom search methods. It runs an instance of an LDAP server (ApacheDS) and can accept any incoming LDAP requests (for example from a GSA), to handle authentication or provide additional authorization information (user group expansion).
Any request for groups for a given user is cached for a period of time. Subsequent requests for the same user during this period will be servered from the cache, not sent to the LDAP server. Note that only group expansion requests are cached. All other requests (bind, lookup etc) will always be sent to the LDAP server
|port||int||10389||Port on which the this component will listen for LDAP requests.|
|ldapConnectorManager||string||Name of the LDAP Connection component that will handle interaction with a "real" LDAP server. Required.|
|searchBase||string||dc=search,dc=local||The Search base for this directory (and the name of the Aspire custom partition). This value must be the same as the search base used by the requesting client, otherwise search requests won't be routed to the Aspire custom partition.|
|groupFilterPattern||string||\(184.108.40.206=([^\)]*)\)\(0.9.2342.19200300.100.1.1=([^\)]*)\)\)||Regular expression used to identify group expansion requests. Must use standard attributes OIDs (not attribute names).|
|userFilter||string||(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))||LDAP query to perform when searching for a user (when proxying an incoming search request).|
|The group expansion cache retention time in ms. Any request for groups for a given user is cached for this period of time. Subsequent requests for the same user during this period will be servered from the cache, not sent to the LDAP server. Note that only group expansion requests are cached. All other requests will be sent to the LDAP server.|
|processing/route||string||One or more routes that group expansion requests will be sent to.|
|expanders/route||string||The routes that the group expansion router will attach when publishing its jobs. See below.|
For group expansion requests to be processed, you must configure a branch for the onGroupExpansion event.
<branches> <branch event="onGroupExpansion" pipelineManager="pipelineManager" pipeline="dummyPipeline" /> </branches>
Group Expansion Processing
Group Expansion Request
When a group expansion request is received, this will be formed in to a group expansion request message and published to the groupExpansion event. The expanders are added to the request message and the resulting message looks like:
<doc type="groupExpansion"> <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username> <groupExpansion> <expanders> <expander>/pipeline1</expander> <expander>/pipeline2</expander> </expanders> </groupExpansion> </doc>
The job will be routed using the information given in the <processing/route> tags (so it's possible that the job is published to a dummy pipeline with no processing stages). It's expected that there is (optionally) a preprocessing pipeline, a pipeline containing a group expansion router and (optionally) a post processing pipeline. The <expanders/route> configuration populates the <groupExpansion> part of the message.
Group Expansion Response
<doc type="groupExpansion"> <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username> <groupExpansion> <expanders> <expander>/pipeline1</expander> <expander>/pipeline2</expander> </expanders> </groupExpansion> <groups> <group source="ldap">ldapGroup1</group> <group source="ldap">ldapGroup2</group> <group source="ldap">ldapGroup3</group> </groups> </doc>
The <group> tag holds the name of the group to be returned in the LDAP response and the source attribute should hold an indicator of the component that added the group to the response. In a component derived from the Simple Group Expander component, this is achieved using the group expansion result.
Once the job is complete on the pipeline, the proxy will gather the groups from the returned job and return them to the requester.
<component name="LdapProxy" subType="default" factoryName="aspire-apache-ds"> <searchBase>dc=search,dc=local</searchBase> <ldapConnectorManager>Main/LDAPGroupExpander</ldapConnectorManager> <processing> <route>/GroupExpansion/Main</route> </processing> <expanders> <route>/SharePointConnector</route> <route>/DocumentumConnector</route> </expanders> <debug>true</debug> <branches> <branch event="onGroupExpansion" pipeline="dummy-for-routing" pipelineManager="Main"/> </branches> </component>
Configuring with the GSA
For information on configuring the proxy for use with the Google Search Appliance (GSA) see here.