LDAP/AD Realm

Secure Search can be used based on the LDAP/Active Directory configuration by enabling the checkbox LDAP/AD Realm and providing the required settings, as shown:

1183

LDAP Settings

  1. Select LDAP/AD Realm
788
  1. Give the required LDAP details
FieldDescription
LDAP URLLDAP URL that specifies a base search for the entries
Search BaseSearch Base for the active directory
UsernameAdmin username
PasswordPassword for the username
  1. Test the connection. For a successful connection you would get the message as shown:
795

Add Security Group

  1. Using this setting you can configure security group settings for LDAP/ Active Directory.
1110
  1. Give the parameters for the Security Group for LDAP. The information on the parameters is provided in the following table
FieldDescription
Group NameName of the security group. This can be given by the user based on their OU or requirement.
Group Name accepts alphanumeric characters of length min. 3 - max. 50 characters. The only special character allowed in Group Name is underscore.
Search BaseSearch Base for the active directory/security group
RoleThere are two values Normal or Sensitive. Default is Normal.
Sensitive users have access to encrypted content Collection Encryption
PriorityThe priority of the Group.
Usecase:
If a user is in two groups, the group which has a greater priority will be taken as the user group.
CollectionsCollections accessible by the users in the Group
  1. After adding the groups, you can view the same under Security User Groups dashboard as shown:
1152

Features of Security Groups in LDAP Realm

Group Settings

  • After providing the LDAP settings, it is mandatory to give Group settings. This is required to integrate collection based security with LDAP security for the search results.
  • When creating a group, one can assign a set of collections to the same, then the user belonging to the group will have access only to the same set of collections.
  • The users belonging to the OU, that is, Organizational Unit will belong to the group
  • It is possible to create more than one group for one Organizational Unit (OU)
  • The permissions and users for a group are fetched based on the search base provided, and therefore, it is an important parameter for Security User Group creation

Group Naming

  • LDAP security groups can be named according to the Microsoft naming convention, allowing special characters.
  • According to the Microsoft documentation, the LDAP distinguished name is globally unique. For example, the distinguished name of a computer named mycomputer in the MyOrganizationalUnit organizational unit in the microsoft.com domain is CN=mycomputer, OU=MyOrganizationalUnit, DC=microsoft, DC=com.
  • For example, “A602-AC-DMASFS2_sdata RW”

Priority

  • When a user is available in two groups, they will be considered in the group of higher priority.
    For example,
    Let us consider that the user belongs to group A with priority 5 and access to collection 1 and also belongs to group B with priority 3 and access to collection 2. Due to higher priority in group A, they will be considered to belong in Group A and therefore, will have access to results only for collection 1.

Sensitive User

  • Only the users with a sensitive role would be able to view encrypted content. Please refer Collection Encryption for more details on Encryption.

Accessing Secure Search for LDAP Realm

Log in using LDAP/AD credentials here:
http://localhost:8080/searchblox/plugin/index.html

638

Then perform the secure search.

1089