Enabling group lookup, Configuring a credential group for ldap – Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 36
Google Search Appliance: Managing Search for Controlled-Access Content
36
Enabling Group Lookup
You can enable a search appliance to automatically look up group information for a user during
authentication, provided that the search appliance has a verified identity for the user.
To look up group information for a user, the search appliance uses the combination of group
information from all its available sources. For example, if the search appliance has group information in
the form of policy ACLs, it looks up group information for the user in the policy ACLs.
Group lookup works only if LDAP is correctly configured for the search appliance. However, group
lookup works even if LDAP is not enabled for the search appliance.
Nested group lookup is supported for Windows 2003 SP2 and later only. To use group lookup for Active
Directory running on Windows 2003 SP1 or older, you must remove the resolve nested groups operator
( :1.2.840.113556.1.4.1941:) after it has been populated in Group Search Filter.
To enable group lookup, click the Lookup a user’s group information during Authentication
whenever possible checkbox on the Serving > Universal Login Auth Mechanisms > LDAP page. For
more information, see “Configuring a Credential Group for LDAP” on page 36.
Configuring a Credential Group for LDAP
To add a credential group rule, enable LDAP and automatic lookup of group information:
1.
Click Serving > Universal Login Auth Mechanisms > LDAP.
2.
Click the Use LDAP for User Authentication during serve-time checkbox.
3.
Click the Lookup a user’s group information during Authentication whenever possible
checkbox.
4.
Select a credential group from the pull-down menu.
5.
In the Mechanism Name box, type a unique name for the authentication mechanism. A
mechanism name must not be the same as another mechanism name or credential group name.
Mechanism names are case-insensitive and can be up to 200 characters long, and can contain only
alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.
6.
Optionally, change the default time for the search appliance to make a network connection by
entering the number of seconds in the Timeout box.
7.
Click Save.
Protecting the User’s Credentials for Serve with HTTP Basic and
NTLM HTTP
When a user performs a query for secure content, the search appliance responds with the same
protocol. Because the responses for serve over HTTP Basic and NTLM HTTP include authorization
headers, a malicious user could intercept the message and extract the header. To protect the user’s
credentials against such an attack, you can force the use of HTTPS during serve, even when the search
request is sent over HTTP.
To specify whether the search appliance serves all content over HTTPS:
1.
Log in to the Admin Console.