Google Search Appliance Security User Manual
Page 31
31
When the connector is intended to provide both authentication and group resolution, the implementation
can ignore what the GSA passes to it through the AuthenticationIdentity object and provide a verified
username and groups back to the GSA through AuthenticationResponse. Here is the constructor of
AuthenticationResponse:
public AuthenticationResponse(boolean valid, String data,Collection groups);
“valid” indicates whether the authentication is successful or not, if the “authenticate()” method is used to
perform authentication. “data” is reserved for future use. The collection “groups” will be used to hold user
groups of the following class:
public class Principal;
This class holds information about groups: name, namespace, case sensitivity, and principal_type. These
are attributes of a Per-URL ACL. The last attribute principle_type is used by Connector Framework to
introduce a concept of “Local Namespace”. See the
how namespaces should be mapped. Here is how it’s used during traversal:
1. The connector is configured in the GSA’s admin console with both a global namespace
(credential group), and a local namespace.
2. The connector gathers all groups and creates the Principal object. If they are local to one content
source, the principal_type is set to “unqualified”. The name of the local namespace is prefixed to
the name of the group just like a domain.
3. The Connector Manager will translate the Principal objects to the ACL definition in XML Feeds
with the properties of Principal objects to the corresponding ACL attributes.
Database support
There are two design options for connectors to resolve groups during serve time:
1. A connector can query the application where the group memberships are stored during serve
time when there is an API available. The Google supported connector for Documentum (version
3.2), which supports early binding, uses this approach.
2. Users, groups, and their relationships could be discovered beforehand and saved in the
connector’s own storage. During serve time, the connector reads from this storage and provides it
to the appliance. The Google-provided Active Directory Groups connector and SharePoint
connector are such examples. Sometimes this is the only option. For example, when there are
multiple Active Directory Domains, querying from all of them during serve time can be very slow,
thus a real time call is not feasible.
The Connector Framework includes database support. The configuration file
applicationContext.properties has JDBC configuration settings for different databases. The Connector
Framework comes with a built-in H2 database. When you develop connectors, you can store user
memberships in the database with the second approach outlined above.