Skip to main content

Experience Management

How to easily check group lookup results with Connector Manager

With Google Search Appliance (GSA) connector framework 3.x, user group lookup is an essential part of user authorization when searching for controlled-access content, especially for early binding.
How to easily check group lookup results with Connector ManagerDuring controlled-access content search, GSA first authenticates user with the authentication mechanism configured. After the user identity is resolved, GSA will pass it to the connector for group lookup if any connector(s) are designated for group lookup. Based on the group membership information returned from group lookup, GSA will do result trimming to return … results to the user.
Quite often we would encounter issues where the search results are not expected. In order to investigate the causes, we need check user authentication, group lookup, and ACL information retrieved for controlled-access content.
GSA connector framework 3.x provides a very straightforward way to verify the user’s group membership. Here are the steps to do that:

  • Create a simple XML file, say authnReq.xml with following content, and put it under Connector Manager (CM) server host:

<AuthnRequest>
<Credentials>
<Username>myaccount</Username>
</Credentials>
</AuthnRequest>

Where myaccount is the user account you need verify, which would be the result of user authentication.

  • Run the following curl command within the directory where the above file was saved :
    curl -H “Content-Type: text/xml; charset=utf-8” -d @authnReq.xml -X POST http://localhost:8080/connector-manager/authenticate

The header directive -H “Content-Type: text/xml; charset=utf-8” can be omitted in some cases. If you do not get the results you expected, try adding it to the curl call.

  • That’s it. Then you would see the groups the user belongs to.

Here is an example running against a SharePoint connector that was designated as a group lookup:

<CmResponse>
<AuthnResponse>
<Success ConnectorName=”myspserv”>
<Identity>myaccount</Identity>
<Group namespace=”Default”>NT AUTHORITY\authenticated users</Group>
<Group namespace=”Default”>NT AUTHORITY\interactive</Group>
<Group namespace=”Default”>everyone</Group>
<Group namespace=”Default”>MYCORP\quality center</Group>
<Group namespace=”Default”>MYCORP\it ad admin</Group>
<Group principal-type=”unqualified” namespace=”Default_myspserv”>[http://sharepoint.mycorp.com]IT Users</Group>
</Success>
</AuthnResponse>
</CmResponse>

Groups from both Active Directory and SharePoint were retrieved for the user in question.
Here are a few interesting observations:

  • This approach works for all the connectors provided by Google, and all the connectors built on top of Google connector framework 3.x.

  • This approach also works for connectors that obtain user groups by connecting to content source system at runtime.

  • There is no need to specify user’s password in the request XML file. It will be very convenient for GSA admin to troubleshoot search issues for everyone.

  • The request content can include domain information so that you can verify the handling of domain during group lookup.

<AuthnRequest>
<Credentials>
<Username>myaccount</Username>
<Domain>MYCORP.COM</Domain>
</Credentials>
</AuthnRequest>

  • This approach can also be used for readiness test of group lookup on connectors, especially for complicated connector implementation, such as Google SharePoint connector.

Recently I deployed a Perficient connector to a client. Even I was not granted access account to the system due to the client’s policy, with this approach I was still able to easily verify the user’s group membership and the controlled-access content a user was supposed to search.
Another good usage of this approach is monitoring the connection health to external database from Connector Manager, without even worrying about the connection string to the external database and the credential of database user account.

Thoughts on “How to easily check group lookup results with Connector Manager”

  1. Allen, I think this is a great tip, and also emphasizes the importance of locking down the Connector Manager with the IP Address filter in server.xml. Only the GSA or other trusted machines should be allowed to request data from the Connector Manger.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow Us