Active Directory Security Source

The Active Directory is a Microsoft Windows-based implementation of LDAP. The Active Directory security source inherits the generic LDAP security source behavior with a specific configuration.

This section describes the Active Directory specific LDAP implementation.

Important: The Active Directory security source does not update security information automatically. The workaround to this limitation is to run the following command in your <DATADIR>\bin directory:
cvcommand <HOSTNAME>:<BASEPORT+11> /mami/master ReloadSecuritySource? securitySourceName="<SECURITY_SOURCE_NAME>"

This page discusses:

See Also
LDAP Overview
Configure an LDAP Security Source
OpenLDAP Security Source
Lotus Domino Security Source
Configure an LDAP Security Source

User Login

In the Active Directory, the user object class identifies users. The user login match is case insensitive. You can use several attributes for a valid user login.

Attribute Description
DN login Allows the user to log in with the full DN. Only DNs rooted on the defined LDAP search base are allowed.
sAMAccountName The windows account name, for example, doe.
mail The user email address, for example, john.doe@exalead.com.
userPrincipalName The user principal name, for example, doe@office.exalead.com.

Exalead CloudView tries to match the user login with these attributes in this order. There must be a unique match for the value on the Active Directory server, otherwise, the login fails. The first step in the user-login phase resolves the full user DN.

In some cases, the Active Directory server login is not used and only security tokens are resolved.

Display Name

The displayName attribute of the Active Directory generates the user display name.

Group Configuration

In Active Directory, the group object class identifies groups. The groups a user belongs to are computed at login time, using the configuration lists:

  • Group > Additional LDAP attributes: the list of attributes that contain the additional attributes to return for a given group.

  • Group > Groups attributes: the list of attributes that contain the members of a given group. To compute the groups a user belongs to, the memberOf attribute defines the group entries.

  • Person > Groups attributes: the list of attributes that contain the groups of a given user.

Security Tokens

In Active Directory, user security tokens are generated based on the user entry and the group. Security tokens are built from windows object SIDs. The generated security tokens allow the matching of security tokens that can be set by a filesystem, Microsoft Exchange, or Microsoft Office Sharepoint Server connector.

Security tokens can be generated from the user entry. For example, if the user CN=John Doe, OU=Exalead Users, DC=office, DC=exalead, DC=com has the following LDAP attributes:

  • objectSid: S-1-5-19819-101018018-189989898

  • primaryGroupId: 1891

The following security tokens are generated:

  • windows:S-1-5-19819-101018018-189989898

  • windows:S-1-5-19819-101018018-189989898-1891

  • windows:S-1-5-32-545 (BUILTIN\Users group)

Security tokens can be generated from groups to which the user belongs. For example, if the group CN=Administrators, CN=Exalead Users, DC=office, DC=exalead, DC=com has the following LDAP attributes:

  • objectSid: S-1-5-19819-101018018-189989898

The generated security tokens for this group is:

  • windows:S-1-5-19819-101018018-189989898