Aspire LDAP Proxy (Aspire 2)

From wiki.searchtechnologies.com
Jump to: navigation, search

For Information on Aspire 3.1 Click Here


Aspire LDAP Proxy (Aspire 2)
Factory Name  com.searchtechnologies.aspire:aspire-apache-ds
subType  default
Inputs  LDAP Protocol requests. See below for more details.
Outputs  LDAP Protocol responses. See below for more details.

The Aspire Apache Directory Services is a custom implementation of ApacheDS, integrated to Aspire as a component, providing the ability to intercept LDAP requests and proxy these to an LDAP server (via an LDAP Connection) or expand requests for group membership via an Aspire pipeline.

This component provides a custom partition (see searchBase configuration) with custom search methods. It runs an instance of an LDAP server (ApacheDS) and can accept any incoming LDAP requests (for example from a GSA), to handle authentication or provide additional authorization information (user group expansion).

Any request for groups for a given user is cached for a period of time. Subsequent requests for the same user during this period will be servered from the cache, not sent to the LDAP server. Note that only group expansion requests are cached. All other requests (bind, lookup etc) will always be sent to the LDAP server

Configuration

Element Type Default Description
port int 10389 Port on which the this component will listen for LDAP requests.
ldapConnectorManager string   Name of the LDAP Connection component that will handle interaction with a "real" LDAP server. Required.
searchBase string dc=search,dc=local The Search base for this directory (and the name of the Aspire custom partition). This value must be the same as the search base used by the requesting client, otherwise search requests won't be routed to the Aspire custom partition.
groupFilterPattern string \(2.5.4.50=([^\)]*)\)\(0.9.2342.19200300.100.1.1=([^\)]*)\)\) Regular expression used to identify group expansion requests. Must use standard attributes OIDs (not attribute names).
userFilter string (&(objectClass=user)(objectClass=person)(sAMAccountName=%s)) LDAP query to perform when searching for a user (when proxying an incoming search request).
cacheTimeout string 1800000
=30 mins
The group expansion cache retention time in ms. Any request for groups for a given user is cached for this period of time. Subsequent requests for the same user during this period will be servered from the cache, not sent to the LDAP server. Note that only group expansion requests are cached. All other requests will be sent to the LDAP server.
processing/route string One or more routes that group expansion requests will be sent to.
expanders/route string The routes that the group expansion router will attach when publishing its jobs. See below.

Branch Configuration

For group expansion requests to be processed, you must configure a branch for the onGroupExpansion event.

 <branches>
   <branch event="onGroupExpansion" pipelineManager="pipelineManager" pipeline="dummyPipeline" />
 </branches>

Group Expansion Processing

Group Expansion Request

When a group expansion request is received, this will be formed in to a group expansion request message and published to the groupExpansion event. The expanders are added to the request message and the resulting message looks like:

 <doc type="groupExpansion">
   <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username>
   <groupExpansion>
     <expanders>
       <expander>/pipeline1</expander>
       <expander>/pipeline2</expander>
     </expanders>
   </groupExpansion>
 </doc>

The job will be routed using the information given in the <processing/route> tags (so it's possible that the job is published to a dummy pipeline with no processing stages). It's expected that there is (optionally) a preprocessing pipeline, a pipeline containing a group expansion router and (optionally) a post processing pipeline. The <expanders/route> configuration populates the <groupExpansion> part of the message.

Group Expansion Response

Any group expansion component this request is sent to should add groups to the AspireObject of the Job in the following format:

 <doc type="groupExpansion">
   <username dn="cn=Steve Denny,cn=Users,dc=search,dc=local">sdenny</username>
   <groupExpansion>
     <expanders>
       <expander>/pipeline1</expander>
       <expander>/pipeline2</expander>
     </expanders>
   </groupExpansion>
   <groups>
     <group source="ldap">ldapGroup1</group>
     <group source="ldap">ldapGroup2</group>
     <group source="ldap">ldapGroup3</group>
   </groups>
 </doc>

The <group> tag holds the name of the group to be returned in the LDAP response and the source attribute should hold an indicator of the component that added the group to the response. In a component derived from the Simple Group Expander component, this is achieved using the group expansion result.

Once the job is complete on the pipeline, the proxy will gather the groups from the returned job and return them to the requester.

Example Configuration

  <component name="LdapProxy" subType="default" factoryName="aspire-apache-ds">
    <searchBase>dc=search,dc=local</searchBase>
    <ldapConnectorManager>Main/LDAPGroupExpander</ldapConnectorManager>
    <processing>
      <route>/GroupExpansion/Main</route>
    </processing>
    <expanders>
      <route>/SharePointConnector</route>
      <route>/DocumentumConnector</route>
    </expanders>
    <debug>true</debug>
    <branches>
      <branch event="onGroupExpansion" pipeline="dummy-for-routing" pipelineManager="Main"/>
    </branches>
  </component>

Configuring with the GSA

For information on configuring the proxy for use with the Google Search Appliance (GSA) see here.