Aspire LDAP Proxy 0.4
For Information on Aspire 3.1 Click Here
|Aspire LDAP Proxy 0.4|
|Description:||Receives LDAP protocol requests from the GSA and responds with authentication or authorization information.|
|Inputs:||LDAP Protocol requests. See below for more details.|
|Outputs:||LDAP Protocol responses. See below for more details.|
|Object Type:||LDAP Protocol request|
Is an Aspire component that have been developed to provide additional authorization capabilities to the GSA.
It is a custom implementation of ApacheDS, and integrated to Aspire as a component. Specifically, a custom partition (see searchBase configuration) with custom search methods was implemented.
This component (packaged into an Aspire distribution) will run an instance of an LDAP server (ApacheDS) an accept any incoming LDAP requests from the GSA, to handle authentication or provide additional authorization information (user group expansion).
So, the final authorization system is faster (does group expansion once when the user authenticates to the GSA front-end, aka early-binding) and allows to use nested groups from any source of documents.
How it works
GSA must be configured to use LDAP to lookup user's group information during authentication. See the GSA wiki for more information on this. Also, per-url ACLS are required on the GSA (so, document ACLs must be indexed as well). Notice that no group expansion occurs at index time, ACLs are indexed just as they come in the files.
The LDAP server configured on the GSA, will be the Aspire LDAP proxy instead of the real customer's LDAP server.
When a user authenticates to the GSA front-end, GSA will send two requests to the configured LDAP server (Aspire proxy in this case).
- A request to authenticate the user: In this case, Aspire LDAP proxy will redirect the request to the customer's real LDAP server and pass the response back to the GSA.
- A request for user groups (if the user was successfully authenticated). This is an attempt to get all the groups to which the user is member of. In this case, Aspire LDAP proxy will intercept this request, pass it to an Aspire pipeline, and add additional group information from the configured repositories (this pipeline can be extended as required to include other repositories). Once the information is gathered, is sent back to the GSA. From this point, GSA will handle authorization with the extended group information, by comparing the indexed document ACLs with the user/groups information retrieved from LDAP proxy.
Once GSA gets the group information, it stores it in the cache so that further queries from the same user will not require any additional group expansion.
When to use
- The customer requires nested groups from LDAP.
- There are documents from repositories which have their own group definition (for example SharePoint or Documentum).
- The GSA is not able to get group information from Active Directory (due some limitation on the GSA, it fails to retrieve information from Active Directory for some customers installations. This issue was addressed by the Aspire LDAP proxy, and solved by using Active Directory API to get the group information, instead of the Java API).
|ldapConnectorManager||string||Name of the LDAP Connection component that will handle authentication. Required. (in the future this should be optional, so that aspire-ldap-proxy won't need of an existing LDAP server to operate).|
|searchBase||string||Search base for this directory and actually the name of the Aspire custom partition . This value must be the same as the one configured on the GSA, otherwise search requests won't be routed to the Aspire custom partition.|
|port||int||Port on which the Aspire LDAP proxy will listen to LDAP requests.|
|groupFilterPattern||string||Pattern to identify group expansions. Must use standard attributes OIDs (not attribute names). This is a due ApacheDS constraints.|
Should always have the following two branches (this is likely to be changed in the future):
<branches> <!-- There are two branches configured. Normally two jobs will be submitted at the same time, so you can have two user group expansion pipelines that work simultaneously. --> <branch event="onUserGroupExpansion1" pipelineManager="Get-User-Groups-Pipe-Manager" pipeline="fetch-adsp-groups" /> <branch event="onUserGroupExpansion2" pipelineManager="Get-User-Groups-Pipe-Manager" pipeline="fetch-doc-groups" /> </branches>
Change the target pipelines according to your needs.
<!-- Aspire LDAP proxy. Runs an instance of ApacheDS. Uses aspire-ldap to handle user authentication. --> <component name="LdapProxy" subType="default" factoryName="aspire-apacheds"> <config> <!-- Path to the aspire-ldap component that to use for user authentication. --> <ldapConnectorManager>LdapConnector</ldapConnectorManager> <!-- Search base of this ApacheDS. This is how the custom partition will be named. --> <searchBase>dc=contoso,dc=com</searchBase> <!-- Port on which the Aspire LDAP proxy will listen to LDAP requests. --> <port>10389</port> <!-- Pattern to identify group expansions. --> <groupFilterPattern>\(\|\(184.108.40.206=([^\)]*)\)\(0.9.2342.19200300.100.1.1=([^\)]*)\)\)</groupFilterPattern> <branches> <!-- There are two branches configured. Normally two jobs will be submitted at the same time, so you can have two user group expansion pipelines that work simultaneously. --> <branch event="onUserGroupExpansion1" pipelineManager="Get-User-Groups-Pipe-Manager" pipeline="fetch-adsp-groups" /> <branch event="onUserGroupExpansion2" pipelineManager="Get-User-Groups-Pipe-Manager" pipeline="fetch-doc-groups" /> </branches> </config> </component>
How to deploy as an Aspire Distribution
Setup the GSA
- Go to GSA's administration page (port 8000).
- Go to "Administration->LDAP setup"
- Make sure "Use LDAP for User Authentication during serve-time." and also "Lookup a user's group information during Authentication whenever possible." are checked.
- Click on "Change LDAP Server".
- Host= Aspire LDAP proxy server IP
- Port Number = Configured port number on Aspire LDAP proxy (defaults to 389)
- Distinguished Name (DN)= User to access the real costumer LDAP server. You must write the complete DN (for example 'CN=Administrator,CN=Users,DC=contoso,DC=com').
- Password: User password.
- Make sure "Go to advanced settings page even if detection fails." is checked.
- Click on "Continue".
- Set LDAP Search base to the costumers real LDAP server base DN (for example, 'DC=contoso,DC=com'). Be sure this matches the configured search base on the aspire-ldap-proxy.xml configuration (see "Setup Aspire LDAP Proxy distribution).
- Set user search filter to "(&(objectclass=person)(uid=%s))".
- set group search filter to "(|(uniquemember=%dn)(uid=%s))".
- Make sure "None" is selected on SSL support.
- Click on "Save LDAP settings". You may want to test the configuration after saving the settings "LDAP Search User Authentication Test" section.
Setup Aspire LDAP Proxy distribution
- Check the code out from Aspire ApacheDS Distribution.
- Go to the file /distribution-files/conf/get-user-groups.xml. Change the required fields in the configuration as required (details are in this page).
- Check this Running the Distribution Project and this How to Deploy to a Machine with No Internet Access as required to create the new distribution.
Additional components (recently developed) are available for user group expansion. Most of them are in https://svn.searchtechnologies.com/svn/aspire/trunk/corporate-wide-search/ so you may want to take a look in there.
Finally, run the Aspire LDAP Proxy distribution on any machine in the same network that the GSA and the costumer's LDAP server.
"Cannot find a partition for 0.9.2342.19200300.100.1.25=somedomain,0.9.2342.19200300.100.1.25=com" errors when trying the LDAP authentication test on the GSA (or during serve time).
Be sure that the search base you specified in the aspire-ldap-proxy.xml file is the same that is on the GSA LDAP Setup Page.