Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

34

Integrating the Search Appliance with an LDAP Server

If you are not using Kerberos authentication, and want to enable the search appliance to validate a
user’s login name and password by using a Lightweight Directory Access Protocol (LDAP) server, enable
Directory Integration. This section provides a general overview of how to enable the search appliance to
authenticate credentials against one or more LDAP servers. When a user connects to the Google Search
Appliance and requests a search for secure results, the search appliance asks for credentials from the
user. These credentials are then forwarded to an LDAP server for validation.

Note: The search appliance does not support using LDAP and Kerberos authentication at the same time;
you must choose one method for all servers on your domain.

To specify LDAP settings for the search appliance:

1.

Log in to the Admin Console.

2.

Choose Serving > Access Control.

3.

Click Save Settings.

4.

Choose Administration > LDAP Setup.

5.

Click Create new LDAP Server. The LDAP setup options appear.

6.

In the LDAP Directory Server Address section, enter the following information:

•

Host—LDAP directory server’s host name, which is a fully-qualified domain name or an IPv4
address.

•

Port number (optional)—the port number where the LDAP server listens for requests.

7.

If your LDAP server does not allow anonymous users to search, enter the following user credentials
that the search appliance uses when logging into the LDAP server:

•

Distinguished Name (DN)—A login on the LDAP server to which the search appliance
connects to send authentication requests. If the LDAP server supports anonymous binds
(authentication requests), you do not need to specify a DN.

•

Password (optional)—The password for the DN.

8.

(Optional) Click the Go to advanced settings page even if detection fails checkbox.

9.

Click Continue.

The search appliance attempts to auto-detect the settings of the LDAP Search Base, the User
Search Filter, the Group Search Filter, and if SSL Support exists and displays what it has detected.
The advanced settings appear. If you have any version of Active Directory, the resolve nested
groups operator ( :1.2.840.113556.1.4.1941:) is automatically populated in Group Search Filter.
Nested group lookup is not supported for Windows 2003 SP1 or older. To use group lookup for
Active Directory running on Windows 2003 SP1 or older, you must remove the resolve nested
groups operator.

10. If the LDAP server is used to authenticate administrators to the search appliance, specify the LDAP

groups against which they will be authenticated:

•

Superuser Group—Any member of this group is considered an Admin Console administrator.

•

Manager Group—Any member of this group is considered an Admin Console manager.