Use The Active Directory ACL Collection (V1)

The Active Directory Connector for ACLs indexes Active Control List (ACL) information into a configured "sidecar" Solr collection, so that it can be used by other connectors.

Note
This article describes how to use an ACL collection generated by the Active Directory Connector for ACLs in V1 platform version.

During the security trimming stage, the ACL collection is queried using a Solr graph query, which creates a graph of the results using nodes from one document to another.

To use the ACL collection, provide the inputs described below when configuring the Active Directory Connector for ACLs:

Input Description Example

Start Links

Each LDAP or LDAPS URL that is crawled.

ldaps://na.lucidworks.com

LDAP User Principal

The user principal account that crawls LDAP.

firstname.lastname@na.lucidworks.com

LDAP User Password

The password of the user that crawls LDAP.

Password123

LDAP Search Base

The base DN that performs the crawl.

DC=na,DC=lucidworks,DC=com

LDAP User Base (optional)

A list of users that are permitted to access a specific LDAP base.

OU=Users,DC=na,DC=lucidworks,DC=com

LDAP Group Base (optional)

A list of groups that are permitted to access a specific LDAP base.

OU=Groups,DC=na,DC=lucidworks,DC=com

LDAP User Filter (optional)

A custom attribute filter that finds user records in LDAP.

(&(objectclass=user)(sAMAccountName=*))

LDAP Group Filter (optional)

A custom attribute filter that finds group records in LDAP.

(&(objectclass=group))

SOLR ACL Collection Name

The name of the ACL collection.

acl

Index sAMAccountName Users (Active Directory only)

When active, a document is created in the ACL collection representing a user with an ID of sAMAccountName. This allows security trimming on the domain\username version of the username.

true

Index userPrincipalName Users (Active Directory only)

When active, a document is created in the ACL collection representing a user with an ID of userPrincipalName. This allows security trimming on the username@fqdn.com version of the username.

false