Active Directory Connector for ACLs V2 Configuration Reference
The Active Directory Connector for ACLs V2 plugin is a special connector that supports other data sources with collecting Active Control List (ACL) data.
It indexes ACL information into a configured "sidecar" Solr collection, for use by other connectors.
The AD for ACLs plugin connects to LDAP, AD, and Azure AD instances to add objects directly to a special collection for use in security trimming queries.
V2 extends the Azure AD model from V1 to return a delta link at the end of a crawl, allowing incremental delta searches for groups and users.
LDAP initial crawl for first paginated list of results. When complete, the initial crawl creates a checkpoint as the starting point for incremental crawls.
LDAP incremental crawls uses checkpoints to produce specific, paginated access control elements. When complete, the incremental crawl creates another checkpoint to use as a starting point for further incremental crawls.
Azure AD crawl fetches groups and users stored in Azure AD. Both User and Group retrieval is using the MS API delta link request to retrieve incremental changes. Unlike LDAP, AD request returns additions and deletions in a single search, so there is no need to split crawls onto two searches per object.
The same type of request with an empty delta link parameter is used for the initial crawl. Objects are retrieved as delta going back to the very beginning of the Azure AD instance.
For non-removed Azure groups, the Azure group processor sends an additional request to server to populate its
If an error occurs (for example, a wrong Azure response), then an error is emitted. This causes future crawls to start from the first page of a crawl, using the initial delta link for the current crawl.
|Azure rejects delta links older than 30 days. This mean incremental crawls must be performed more often than oncer per month.|
aclCollectionNamefield value should match the associated value in the main datasource. For example, Sharepoint > Security Trimming > ACL Collection Name.
To improve performance, narrow search results for users and groups by setting the
groupBaseDnfield values. These fields must select the subtree of the
When entering configuration values in the UI, use unescaped characters, such as