Active Directory for ACLs V2Connector Configuration Reference
The Active Directory Connector for ACLs V2 plugin:
-
Is a special connector that supports other data sources with collecting Access Control List (ACL) data
-
Indexes ACL information into a configured "sidecar" Solr collection, for use by other connectors
-
Connects to LDAP, AD, and Azure AD instances to add objects directly to a special collection for use in security trimming queries
-
Extends the Azure AD model from V1 to return a delta link at the end of a crawl, allowing incremental delta searches for groups and users
|
|
Deprecation and removal notice
This connector is deprecated as of June 19, 2023 and is removed or expected to be removed as of January 31, 2024. The Active Directory for ACLs V2 connector is not compatible with Fusion 5.6 and later, regardless of the removal date. Use the LDAP ACLs V2 connector instead.
|
-
LDAP initial crawl for first paginated list of results. When complete, the initial crawl creates a checkpoint as the starting point for incremental crawls.
-
LDAP incremental crawls uses checkpoints to produce specific, paginated access control elements. When complete, the incremental crawl creates another checkpoint to use as a starting point for further incremental crawls.
-
Azure AD crawl fetches groups and users stored in Azure AD. Both User and Group retrieval is using the MS API delta link request to retrieve incremental changes. Unlike LDAP, AD request returns additions and deletions in a single search, so there is no need to split crawls onto two searches per object.
The same type of request with an empty delta link parameter is used for the initial crawl. Objects are retrieved as delta going back to the very beginning of the Azure AD instance.
For non-removed Azure groups, the Azure group processor sends an additional request to server to populate its memberof collection.
If an error occurs (for example, a wrong Azure response), then an error is emitted. This causes future crawls to start from the first page of a crawl, using the initial delta link for the current crawl.
|
|
Azure rejects delta links older than 30 days. This mean incremental crawls must be performed more often than oncer per month.
|
-
The aclCollectionName field value should match the associated value in the main datasource. For example, Sharepoint > Security Trimming > ACL Collection Name.
-
To improve performance, narrow search results for users and groups by setting the userBaseDn and groupBaseDn field values. These fields must select the subtree of the baseDn field.
|
|
When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
|
Active Directory Connector for Access Control.
description - string
Optional description
<= 125 characters
diagnosticLogging - boolean
Enable diagnostic logging; disabled by default
Default: false
coreProperties - Core Properties
Common behavior and performance settings.
fetchSettings - Fetch Settings
System level settings for controlling fetch behavior and performance.
indexingInactivityTimeout - number
The maximum amount of time to wait for indexing results (in seconds). If exceeded, the job will be failed
>= 60
<= 9223372036854776000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 1800
Multiple of: 1
numFetchThreads - number
Maximum number of fetch threads; defaults to 5.This setting controls the number of threads that call the Connectors fetch method.Higher values can, but not always, help with overall fetch performance.
>= 1
<= 500
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5
Multiple of: 1
indexingThreads - number
Maximum number of indexing threads; defaults to 4.This setting controls the number of threads in the indexing service used for processing content documents emitted by this datasource.Higher values can sometimes help with overall fetch performance.
>= 1
<= 10
exclusiveMinimum: false
exclusiveMaximum: false
Default: 4
Multiple of: 1
pluginInstances - number
Maximum number of plugin instances for distributed fetching. Only specified number of plugin instanceswill do fetching. This is useful for distributing load between different instances.
<= 500
exclusiveMinimum: false
exclusiveMaximum: false
Default: 0
Multiple of: 1
fetchResponseScheduledTimeout - number
The maximum amount of time for a response to be scheduled. The task will be canceled if this setting is exceeded.
>= 1000
<= 500000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 300000
Multiple of: 1
pluginInactivityTimeout - number
The maximum amount of time to wait for plugin activity (in seconds). If exceeded, the job will fail with a plugin inactivity timeout.
>= 60
<= 691200
exclusiveMinimum: false
exclusiveMaximum: false
Default: 600
Multiple of: 1
indexMetadata - boolean
When enabled the metadata of skipped items will be indexed to the content collection.
Default: false
asyncParsing - boolean
When enabled, content will be indexed asynchronously.
Default: false
id - stringrequired
A unique identifier for this Configuration.
>= 1 characters
Match pattern: ^[a-zA-Z0-9_-]+$
properties - Properties
Plugin specific properties.
security - Security trimming configuration
collectionId - string
Id of the collection to be used for storing ACL records. If not specified, ACL collection name will be generated automatically using pattern '<datasource_id>_access_control_hierarchy'.
authProperties - AD Server Authentication Properties
The credentials to access the AD server
userPrincipal - string
A User Principal with permissions to access the LDAP server. A User Principal can takes the format "user@domain", "domain\user" or a distinguished name to the user such as "CN=user,DC=domain,DC=com". This property is not required for anonymous access
password - string
Password of the User Principal. This property is not required for anonymous access
serverProperties - AD Server Properties
AD server Configurations
ldapHost - string
The LDAP host of the LDAP/AD server where user information is stored.
ldapPort - number
The LDAP/AD server port to use. It will be used for all communication to server with an exception: When You specify one of standard global catalog ports (3268 or 3269) then requests like netbios domain searchwill use default ldap/ldaps port.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 389
Multiple of: 1
searchProperties - AD Search Properties
Search Configurations
baseDn - string
The base Distinguished Name (DN) in LDAP directory. It will be used for query for deleted objects. Also, it will be used in normal search queries in case the specific user/group dn is not set
>= 1 characters
apiQueryRowLimit - number
The maximum number of rows returned on a single page from the server. If the server have a lower upper bound, the maximum available amount will be requested.
>= 1
<= 1000
exclusiveMinimum: false
exclusiveMaximum: false
Default: 1000
Multiple of: 1
followReferrals - boolean
Whether or not to follow LDAP referrals when fetching ldap groups.
Default: false
userSearchProp - User Search Properties
User Search Configurations
crawlForUsers - boolean
Set to true if you want to crawl Active directory servers for users data.
Default: true
userBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where user objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for users.
userFilter - string
LDAP filter used when querying to listing all user objects.
Default: (&(objectclass=user)(sAMAccountName=*))
groupSearchProp - Group Search Properties
Group Search Configurations
crawlForGroups - boolean
Set to true if you want to crawl Active directory servers for groups data.
Default: true
groupBaseDn - string
Optional - Distinguished name (DN) in LDAP directory where group objects reside, such as CN=Users,DC=example,DC=com. If you do not specify this, the "Base DN" will be used when querying for groups.
groupFilter - string
LDAP filter used when listing all group objects.
Default: (&(objectclass=group))
azureProperties - Azure AD Properties
Properties that should be set when want to crawl Azure AD instances for additional group definitions
crawlForGroups - boolean
Set to true if you want to crawl Azure AD instances for groups data.
Default: false
crawlForUsers - boolean
Set to true if you want to crawl Azure AD instances for user data.
Default: false
authProperties - Authentication Properties
The credentials to access the Azure instance
tenantId - string
If crawling Azure AD instances, supply Azure Tenant ID. This is required when listing Azure Groups from Microsoft Graph API.
clientId - string
If crawling Azure AD instances, supply the Azure Application's Client ID. This is required when listing Azure Groups from Microsoft Graph API.
clientSecret - string
If crawling Azure AD instances, supply the Azure Application's Client secret. This is required when listing Azure Groups from Microsoft Graph API.
batchSize - number
Batch size of the requests to Microsoft Graph API.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 500
Multiple of: 1
connectionProperties - Connections Properties (Deprecated)
Connections Configurations
timeoutProperties - Timeout Properties
Timeout Configurations
readTimeout - number
The read timeout in milliseconds for an LDAP operation.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 5000
Multiple of: 1
connectTimeout - number
If the LDAP provider cannot establish a connection within this timeout period in milliseconds, it aborts the connection attempt.
>= -2147483648
<= 2147483647
exclusiveMinimum: false
exclusiveMaximum: false
Default: 3000
Multiple of: 1
sslProperties - SSL Properties
SSL Configurations
useLdaps - boolean
Whether or not to use LDAPS secure protocol.
Default: false
base64SSLCertificate - string
For use with LDAP with SSL only, this is the Base 64 encoded SSL server certificate that will be used to securely communicate with the LDAP server. The entire content of the SSL certificate must be set included the ----BEGIN CERTIFICATE -----and ----- END CERTIFICATE-----. No additional encoding is required.
documentsProperties - Document Save Options
Document Save Options
adNetbiosDomain - string
Use this Active Airectory netbios domain. If not specified, the 'CN=Partitions,CN=Configuration,{dn}' will be used to dynamically look up the netbios domain.
itemRetryProperties - Item Retry Settings
Options to configure the retry operation for items.
maxRetries - number
The maximum number of attempts for a failed item
<= 20
exclusiveMinimum: false
exclusiveMaximum: false
Default: 3
Multiple of: 1
retryDelayInSeconds - number
The amount of time, in seconds, before process again a failed item
>= 1
<= 600
exclusiveMinimum: false
exclusiveMaximum: false
Default: 30
Multiple of: 1