Configuring the Connector for LDAP (Deprecated)

Connector software version 3.0
Connector Manager version 3.0
Installer version 3.0


This document contains the information you need to enable the LDAP connector and configure the Google Search Appliance and the connector to traverse, index, and search content in an LDAP server. The LDAP connector is preinstalled on the Google Search Appliance with search appliance software versions 6.8 and later. You do not install the connector on a separate host.

This document is for LDAP administrators and administrators who install and configure the Google Search Appliance. If you are not familiar with the system that the connector will traverse and index, work closely with your system administrators to determine the correct values for installing and configuring the connector.

Use this document in conjunction with the following related documents:

  • Introducing Connectors, which contains an overview of how connectors work.
  • Search appliance help topics. These pages describe the connector-independent configuration parameters that are available on the Connector Administration pages of the Admin Console.

The rest of this book describes how to configure the Google Search Appliance Connector for LDAP.



Introducing the Google Search Appliance Connector for LDAP

The Google Search Appliance Connector for LDAP is software that enables the Google Search Appliance to index and search records that are stored in an LDAP server. The connector formats content and metadata from the LDAP server repository and feeds it to the Google Search Appliance as a content feed. This section discusses how the Google Search Appliance Connector for LDAP works and the different software components in an installation.

For a general overview of how the connector manager and connectors work, see Introducing Connectors.

The LDAP connector supports the Google Search Appliance feature People Search, which is on the Admin Console under Social Connect > People Search. People Search enables end users to search for information about other users. The LDAP connector is not required for using People Search. Note that the LDAP connector does not create users for the user-added results feature. If you are using LDAP for user authentication, some of the configuration for the LDAP connector resembles LDAP setup elsewhere on the Admin Console, but information is not shared between the two functions. You must configure the LDAP connector separately from LDAP for user authentication.

The LDAP connector is preinstalled on the Google Search Appliance. You configure the connector on the Admin Console, but no separate installation is required.

The LDAP connector traverses records in the LDAP server, then feeds the records to the search appliance for indexing. Traversal begins with the earliest record stored and works forward. All LDAP objects are indexed that match the base distinguished name and filter that you specify during connector configuration.

All LDAP records in the index are public. No special security configuration is required.


Before You Configure the Connector

The LDAP connector indexes LDAP objects that match the basedn and filter that you enter on the configuration form. Before you configure the LDAP connector, determine which LDAP attributes you want indexed. These are the attributes that will be searchable after the indexing process is complete.

The user running the connector installer must have the following user privileges on the connector host:

  • On Windows, the user must be an administrator.
  • On Linux, the user must have sufficient rights to execute the installer file. The user can be a root or nonroot user.

Preparing the LDAP Server and Search Appliance for the Connector

You do not need to perform any special tasks on the LDAP server before you deploy the LDAP connector.

LDAP records are automatically removed from the search index by the connector after you delete them from the LDAP server.


Ensuring that LDAP Documents Are Excluded from the Default Collection

You must also create a collection specifically for the LDAP connector. Exclude the LDAP data from the default collection on your search appliance so that LDAP documents will not show up in two places.


Configuring Crawl and Feeds for the Connector

Before you install the Google Search Appliance Connector for LDAP, you must make an addition to the Follow and Crawl URLs defined in the Admin Console. The Google Search Appliance rejects content in the repository without the addition.

To configure crawl and feeds for the connector:

  1. On the Admin Console, navigate to the Crawl and Index > Crawl URLs page.
  2. In the Follow and Only Crawl URLs with the Following Patterns box, add the following statement:

    ^googleconnector://

    For metadata-and-URL feeds, the following format is also supported:

    http://hostname:port/foo/bar.html

  3. Save the configuration.
  4. Click Crawl and index > Feeds.
  5. In the List of Trusted IP Addresses section, select Trust feeds from all IP addresses or Only trust feeds from these IP addresses.
  6. If you selected Only trust feeds from these IP addresses in step 5, type in the trusted IP addresses.
  7. Click Save Settings.

Configuring a Connector on the Admin Console

Use the Add Connector page in the Google Search Appliance Admin Console to create and configure an LDAP connector instance. The Add Connector page prompts you to enter values for all required configuration parameters.

Before you set up the connector, review the help page for Admin Console > Administration > LDAP Setup, which contains information about the values required for any LDAP configuration with the search appliance.

Cautions:

  • Any time that you select properties to index, save the connector configuration, and edit the properties to index, the dn (distinguished name) property is checked. If you clear the check, save the configuration, and edit again, the check box is still checked.
  • To save the connector configuration, you must select at least one property to index.

To add an LDAP connector:

  1. On the Google Search Appliance Admin Console, click Connector Administration > Connectors.

    The list of existing connectors is displayed.

  2. Click Add New Connector.

    Additional fields are displayed.

  3. In the Connector Name field, type the name of the connector instance.

    Each connector instance added to a particular connector manager or Google Search Appliance must have a unique name. The connector name must consist of no more than 64 alphanumeric characters. All alphabetical characters must be lower-case. Connector names may include underscores (_) and hyphens (-), but they cannot begin with a hyphen.

  4. On the Type drop-down list, select LDAP Connector Type.
  5. Click Get Configuration Form.

    The connector manager name, connector name, and connector type are displayed. These fields cannot be edited.

  6. In the LDAP Directory Server Host Name field, type the LDAP server host name.
  7. In the Port field, type the port for communicating with the LDAP server.

    The default value is 389.

  8. Choose an Authentication Type.

    The choices are Anonymous and Simple.

    • Under Anonymous authentication, the Username and Password fields are ignored.
    • Under Simple authentication, the values in the Username and Password fields are used to authenticate the search appliance on the LDAP system.
  9. In the LDAP Binding Distinguished Name (DN) field, type the user name of a user who has access to the LDAP system. For example, for Active Directory this might be CN=administrator,CN=Users,DC=example,DC=com.
  10. In the LDAP Binding Password field, type the password for the user.
  11. Choose a Connection Method.

    The choices are Standard and SSL.

  12. In the LDAP Search Base field, type in the base distinguished name for the LDAP server. This field is optional. For example, on Active Directory, this might be DC=example,DC=com.
  13. In the User Search Filter field, type in the LDAP filter of the attribute values that must match the entries returned in a search. Note that only these users are indexed. For example, on Active Directory, this might be (&(objectClass=user)(objectClass=person)(sAMAccountName=*)).
  14. In the Traversal Rate section, type the number of documents per minute that you want traversed.

    The default is 200.

  15. In the Retry Delay field, type the number of the minutes the connector waits between when a traversal is completed and when the next traversal starts.
  16. To suspend the traversal process without changing the existing connector schedule, check Disable Traversal.
  17. In the Connector Schedule section, indicate the hours between which you want the repository traversed.

    Note that a connector scheduled to run from 12 a.m. to 12 a.m. always runs. Any other schedule with the same beginning and ending time never runs, either for a connector or for the Google Search Appliance's standard crawl function.

  18. Click the Edit link and then click Add Line to Schedule for each additional traversal period you want to schedule.
  19. Click Save Configuration.

    Clicking Save Configuration runs a connectivity test and verifies that the connector can communicate with the LDAP server. The connector also discovers the schema used by the LDAP server. If there are any errors, you see them displayed on the Admin Console. Correct the errors and click Save Configuration again.

  20. In the Schema section, which specifies which metadata in the LDAP records is indexed, check each property you want indexed.
  21. Click Save Configuration.

    If the connector is configured correctly, the new connector is named on the Connectors list.


Verifying That the Connector is Working

After you configure the connector, wait a few minutes and then verify on the Admin Console Feeds page that the Google Search Appliance is receiving feeds. Ensure that the following entry exists on the Crawl Diagnostics page:

connector_instance_name.localhost

Click the entry and navigate through successive links to verify that documents have been sent to the search appliance by the connector named connector_instance_name as content feeds.

After you verify that the search appliance is correctly receiving feeds, perform a search. Unless all content indexed by the connector is public content, perform a secure search.

To view the documents crawled by the connector and the data fed to the search appliance, enable feed logging, a feature that is disabled by default. This is available only for connectors installed on stand-alone hosts.

To enable feed logging:

  1. On the connector manager host, navigate to the directory where the connector is installed.
  2. Navigate to the Tomcat\webapps\connector-manager\WEB-INF directory or folder.
  3. Start a text editor and open the file applicationContext.properties.
  4. Locate the property feedLoggingLevel and change the value to ALL.
  5. Save the file.
  6. Restart the connector. The feed logs are available for all new documents sent by the connector to the search appliance.

Traversal

The following sections describe how the connector traversal process works.


About the Traversal Process

The Google Search Appliance locates web and file system content for indexing through a process called crawl or crawling.

The Google Search Appliance locates content in a content repository using a process called traversal. Traversal is a process in which the connector issues queries to the repository to retrieve content files and the metadata associated with each content file. The content files and metadata are then fed to the Google Search Appliance as a content feed or a metadata-and-URL feed. For more information about content feeds, see the Feeds Protocol Developer's Guide in GSA Product documentation.

If the set of metadata that you select for index is changed, you must retraverse the content, using the instructions in Resetting Traversal.


How the Traversal Rate Affects Connector Behavior

When you configure a connector instance on the Google Search Appliance Admin Console, you set a traversal rate. The value indicates how many document per minute the connector traverses in the repository. The default value is 200 documents per minute.

You can set the traversal rate to values higher or lower than 200 documents per minute. The connectors and connector manager are capable of faster traversal rates.

  • To reduce resource consumption in the repository, lower the traversal rate.
  • To increase indexing speed, raise the traversal rate.

If the traversal rate is set to 100 and the connector traverses 100 documents in less than one minute, the traversal process pauses. When the full minute elapses, the traversal process resumes.


Creating and Tuning Connector Schedules

When you schedule connector instances, the performance of the repository is a significant consideration. Depending on the number of traversals and the size of the documents retrieved for indexing, the use of connectors may degrade repository performance. Monitoring and performance-tuning the repository server is especially important when you deploy a new connector or document repository.

Note that a connector scheduled to run from 12 a.m. to 12 a.m. always runs. Any other schedule with the same beginning and ending time never runs, either for a connector or for the Google Search Appliance's standard crawl function.

When you determine the connector schedule, taking the following factors into account :

  • When to run the traversal process

    You might add a connector instance to run in off-peak hours to spread out the initial index creation during times of low demand on the repository.

  • How long to run the traversal process

    You might add a connector instance with a very brief schedule to perform predeployment testing, and experiment to see the effects of lengthening the schedule.

Changing the Connector Retry Delay and Schedule

A connector instance cannot self-modify its traversal schedule. Therefore, you must monitor the performance of both the Google Search Appliance and the content management system regularly, and make manual adjustments to the traversal schedules of connectors to optimize performance. You can tune scheduling for optimal performance in these ways:

  • Create a schedule that minimizes the number of concurrent traversal processes that are running.
  • Restrict the times at which those processes run. For example, if the content management system is executing a resource-intensive job, the connector might run slowly. Schedule the connector to run at times when demand on the content management system is light.

Additionally, the connector manager interrupts a connector that takes too long to process a batch of documents. The default duration after which the connector manager interrupts the connector is 1800 seconds, or 30 minutes. The duration is set by the value of the traversal.time.limit property in the applicationContext.properties file. If you want a shorter duration, you can change the value of traversal.time.limit.

To change the default value of the traversal.time.limit property:

  1. Stop Apache Tomcat.
  2. Open the applicationContext.properties file in a text editor. The top of the file contains comments with explanatory text. Do not uncomment any of the explanatory text, including the example for traversal.time.limit.
  3. Examine the file to see whether there is a traversal.time.limit entry.
    • If there is an entry, modify the duration.
    • If there is no entry, add one to the end of the file:

      traversal.time.limit=duration_in_seconds

  4. Save the file.
  5. Restart Tomcat.

Resetting Traversal

If traversal has stopped or no new documents are being fed to the search appliance, you can reset the connector traversal process. When you reset the traversal, the content is traversed in full from the beginning point and the index is recreated.

In search appliance software version 6.0 and later, use Reset link for the connector instance on the Admin Console > Connectors page. On search appliances running software versions earlier than 6.0, use the following instructions from a browser.

To reset the traversal, open a browser and enter a URL in the following format, where connector_manager_host_address is the location of the connector manager and connector_name is the name of the connector whose traversal you are restarting:

http://connector_manager_host_address:8080/connector-manager/restartConnectorTraversal?ConnectorName=connector_name

For example, if the host address is http://www.myhost.com/ and the connector manager is named our_connector:

http://www.example.com:8080/connector-manager/restartConnectorTraversal?ConnectorName=our_connector

The URLs are case-sensitive. After you submit the command, you see a response in the browser window. Some browsers display only a zero (0). Other browsers display a full XML document. A 0 response indicates success. A nonzero response indicates a failure.

<CmResponse>
  <StatusId>0</StatusId>
</CmResponse>

Note: With the default Connector Manager v2.x configuration, connector_manager_host_address must be localhost (or more specifically, 127.0.0.1), and the request must originate from the machine on which the Connector Manager is running. If direct access to the Connector Manager machine is inconvenient, Connector Administrators may wish to add administration machines to the list of IP addresses allowed by the RemoteAddrValve. For more details see this page.

When to Delete Feeds

Under the following circumstances, Google recommends that you delete connector feeds. This recommendation applies only to content-feed-based connectors.

  • When you reindex content and the expected new document set leaves out documents or metadata that were previously indexed
  • When you delete a connector instance

When you are reindexing the content, follow this general procedure:

  1. On the Admin Console > Connector Administration > Add Connector page, check Disable Traversal.

    Traversal is enabled by default.

  2. Make any required updates to the connector configuration.
  3. Delete the feed.
  4. Monitor the Crawl Diagnostics page in the Admin Console.
  5. When the indexed documents are removed from the index, navigate to the Connector Administration >Connectors page and click the Reset link for the connector.
  6. On the Admin Console >Connector Administration > Add Connector page, enable traversal by unchecking Disable Traversal.

If you are deleting a connector instance, we recommend that you separately delete the feed. Otherwise, content indexed by the connector is not removed from the index and public content indexed by the connector continues to appear in search results. Secure content does not appear in search results because the authorization check fails.


When to Restart the Connector Service

Restarting the connector service means restarting Apache Tomcat. Restart the connector service only under the following circumstances:

  • When you manually edit the connector's properties file or one of the configuration files (applicationContext.xml, applicationContext.properties, logging.properties, or connectorInstance.xml). Alternatively, for edits to the connectorInstance.xml file only, you can apply the changes on the Admin Console, without restarting the connector service. Click the Edit link for the connector instance, then click Save Configuration.
  • When you install a connector or connector manager JAR file.

Serving

The following sections describe how the connector serving process works and how serve-time security is maintained.


About Serving

Using the Google Search Appliance and Google Search Appliance Connector for LDAP to search an LDAP server is similar to using Google.com to search the web.

To locate particular information or documents in the repository, a user opens a browser window and navigates to a search page. The search page can be the default search page available on the Google Search Appliance or it can be a customized search page. The user types a search term in the search box and clicks Search.

The Google Search Appliance searches its index for documents and metadata containing the user's search term.

When the Google Search Appliance finds all the documents that match the search request, it presents the user with a pop-up window and asks for the user's user name and password. The connector manager passes the search results and the user credentials to the repository server. The repository server authenticates the user, evaluates the permissions for each document returned by the user's search, determines which documents the user is authorized to view, and returns that information to the connector manager.

The Google Search Appliance displays a results page listing the documents the user is authorized to view. When the user clicks a link on the results page, a web client window opens in which the user can view the document or its metadata, depending on how the connector is configured. If the user does not have an open session to the repository, the web client asks for the user's login credentials before displaying the document.


Uninstalling Connectors and Connector Managers


Deleting a Connector Instance from the Admin Console

You delete a connector instance only on the Admin Console of the Google Search Appliance. When you delete the instance, you delete the configuration information for the instance. The connector manager no longer creates and runs the instance.

Each connector instance is listed on the Admin Console in the Connector Administration > Connectors section. The indicator light is either green or red. Green indicates the existence of the connector instance.

To delete a connector instance:

  1. Log in to the Admin Console as an administrator.
  2. Click Connector Administration > Connectors.
  3. Click the Edit link for the correct connector.
  4. Check the Disable Traversal checkbox for the connector you are deleting.
  5. Click Save Configuration.
  6. On the Connector Administration > Connectors page, locate the connector instance you want to delete.
  7. Click the Delete link on the line for the correct connector instance.
  8. Click OK.

Deleting a Connector Manager

To delete a connector manager, you must first unregister the connector manager from the Admin Console, then uninstall the connector manager on the Tomcat host.

Before you unregister a connector manager, you must delete all connector instances associate with that connector manager. If you have a large number of connector instances, you can first stop the Tomcat instance where the connector manager is running, then unregister the connector manager.

It is also possible to uninstall the connector manager on the Tomcat host, then unregister the connector manager on the Admin Console.

Unregistering a Connector Manager from the Admin Console

To unregister a connector manager from the Admin Console:

  1. Log in to the Admin Console as an administrator.
  2. Click Connector Administration > Connector Managers.
  3. Locate the connector manager you want to delete.
  4. Click the Unregister link on the line for the correct connector manager.
  5. Click OK.
Uninstalling a Connector Manager

To uninstall a connector manager from the Tomcat host, do one of the the following:

  • On Windows, click Start > All Programs > Google Search Appliance Connector version_number > Uninstall
  • On Linux, click the appropriate shortcut.

To manually delete a connector manager on the Apache Tomcat host:

  1. Log in to the Apache Tomcat host as the installation owner (the user who installed Tomcat).
  2. Shut down Tomcat.
  3. Navigate to the $CATALINA_HOME/webapps directory.
  4. Delete the connector-manager.war file.
  5. Delete the $CATALINA_HOME/webapps/connector-manager directory.
  6. Restart Tomcat.

Troubleshooting the Google Search Appliance Connector for LDAP

If you have a problem that requires you to file a ticket with Google Cloud Support, be prepared to provide Support with the following information:

  • Verbose connector logs. See Logging for information on changing the default logging level. If you are reporting a problem to Support, it is ideal if you can reproduce the problem with the logging level set to ALL. However, log files with entries made when the problem occurred are also helpful.
  • Connector configuration files.
  • Feed record and metadata log file. See Logging Feed Record and Metadata Information to a Text File for information on generating this log file.

Diagnosing Connector Problems

If you create a connector instance and no search results are returned, use the following checklist to help diagnose the problem.

Problem How to Diagnose
The connector has not traversed any documents. View the Admin Console Feeds page or Crawl Diagnostics page to confirm. View the connector logs to help determine the specific reason.
The search appliance has not accepted the feed. View the Admin Console Feeds page to determine whether the search appliance is accepting feeds.
The connector has not traversed the designated test documents. View the Admin Console Crawl Diagnostics page. Examine the connector logs and look for the end of a traversal or for errors associated with specific documents. Lastly, enable the teedFeedFile and reset the traversal.
The search appliance has not indexed the documents. This can be difficult to determine, but the Crawl Diagnostics page tells you which content files have not been indexed. Usually, you must wait until the content is indexed. This failure is more common with metadata-and-URL feed connectors.

With content feed connectors, a document can appear on the Crawl Diagnostics pages almost immediately, sometimes before the feed appears on the Feeds page. However, the document does not appear in search results for another 5 to 15 minutes. If a document does not appear on Crawl diagnostics, it has not been indexed and probably has not been traversed.

The Documentum connector is slow to index content, but is sending feeds. The connector performs the following three main actions:

1. A query to find documents to add (including updates)

2. A query to find documents to delete

3. The retrieval and feeding of the documents

Usually when the batches are slow the problem is the query performance. Turn the logging level up to FINE to verify that the query execution is slow.

To improve query performance, there are recommended database indexes.

Secure documents were not included in test searches. Ensure that a secure search was performed.
There were authentication failures. Depending on the search appliance version, examine the Security Manager log or the connector logs.
There were authorization failures. Examine the authorization log on the search appliance Access Control page or the connector logs. For metadata-and-URL feeds or policy ACLs, this is where you will find the information you need. For connector authorization, the connector log has more details about failures than the search appliance authorization log.

When you examine the connector logs, error messages labeled SEVERE or Exception are good starting points. For authorization issues, search the logs for the user name of the users who experienced authorization failures.


Logging

Logging is a useful technique for recording information about how your installation is operating. You can use the information logged for troubleshooting the operations of the connector, the Google Search Appliance, and LDAP.

The connector manager and connectors use the java.util.logging package for logging. The installer installs a logging mechanism for the connector and starts the logging process automatically. The default logging configuration is defined in the logging.properties file.

To customize the configuration, navigate to
connectors_root_dir/connector_name/Tomcat/webapps/connector-manager/WEB-INF/classes and edit the logging.properties file there.

The following line in the file sets the default logging level for the LDAP connector:

.level=INFO

The default logging level for most packages and output destinations (handlers) is INFO. To enable debugging at a finer level of granularity, you can change the default connector manager logging level to ALL or FINER. For example, you might change the logging level as follows:

.level = ALL

The possible values of the level property are OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, and ALL. The default level is INFO.

Starting with GSA version 6.14 when using Connector Manager 2.8.x the logging level can be adjusted via the Admin Console - however this change affects only the currently running process and will be reverted back to default upon restarting the connector manager.

The output from the FileHandler appears in the connectors_root_dir/connector_name/Tomcat/logs directory. The output appears in the google-connectors.sequence.log file, where sequence is a series of numbers starting with 0 and incremented by 1 on each occurrence (0, 1, 2, 3...n). The first three log file names would be google-connectors.0.log, google-connectors.1.log, and google-connectors.2.log.

After editing the logging.properties file, restart Tomcat.

In addition, enable logging for the content management system's native API on the Apache Tomcat host and, if relevant, on the repository server host.


Error Messages

This section describes some commonly encountered error messages and their likely solutions.

Search Appliance Unable to Connect to the Connector Manager

If the Apache Tomcat instance where the connector manager is installed is not started or if the location you type in is incorrect or invalid, a message is displayed on the Connector Manager Administration page of the Admin Console saying "The appliance could not connect to the connector manager as specified in the location. Make sure that the URL is correct, or try again later."

Admin Console Error

HTTP 404 Error When Registering a Connector Manager

When you are registering a new connector manager, you might see the following error message:

The HTTP response failed with the following code: 404. No external connector managers registered.

This means that the CATALINA_HOME environment variable is not set correctly on the Tomcat host. Examine the Tomcat startup script or .bashrc and ensure that CATALINA_HOME points to the correct Tomcat installation.

HTTP 401 Error When Configuring a Connector

When creating the connector, GSA admin may get the following error:

Cannot connect to the given SharePoint Site URL with the supplied Domain/Username/Password. Reason:(401) Unauthorized

  1. Check that the username and password are correct. Configure the crawler access under Crawl and Index > Crawler Access and perform a manual fetch under Status and Reports > Real-time Diagnostics in the Admin Console to verify connectivity and validate the credentials. If you get a 401, then please confirm the username and password again. If you get a http status of 200, check logs for information below.
  2. Check the connector log. If you see the following error, please check that the user has contribute access.
Aug 23, 2011 11:18:56 AM com.google.enterprise.connector.sharepoint.wsclient.WebsWS checkConnectivity
WARNING: Unable to connect.
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (401)Unauthorized
faultActor:
faultNode:
faultDetail:
{}:return code: 401
401 UNAUTHORIZED
{http://xml.apache.org/axis/}HttpErrorCode:401
Feed Exception During Traversal

You might see the following error message if you installed a connector manually or you are using a connector manager earlier than version 2.0:

SEVERE: Feed Exception during traversal.
com.google.enterprise.connector.pusher.FeedException: Connection refused: connect

This happens when the connector service is reinstalled, whether or not it is the same version, to a new location, but it is not reregistered on the Admin Console. The connector service points at localhost by default, rather than pointing to the search appliance. In this situation, the connectors are unable to feed documents to the search appliance.

To fix this issue:

  1. Log in to the Admin Console and navigate to the Connector Managers page.
  2. Click the Edit link for your connector manager.
  3. Click the Save button.

Alternatively, you can manually edit the applicationContext.properties file in the Tomcat/webapps/connector-manager/WEB-INF directory by changing localhost to the IP address of the GSA in the following line:

gsa.feed.host=localhost

If you manually edit the file, you must restart Tomcat after you save your changes.

Error Message When Trying to Add a Connector to an Unavailable Connector Manager

When a connector manager is unavailable, the Admin Console displays a circular red indicator next to the connector manager name. If you try to add a connector to an unavailable connector manager, you see the following error message:

The appliance encountered an error while trying to make the following servlet call: getConnectorList

The connector manager might be unavailable for one of the following reasons:

  • Tomcat is not running on the registered host and port
  • The connector manager host is unreachable
  • The Tomcat Remote Address Filter is rejecting access

Check each condition and correct any problems.


How Security is Supported

All LDAP records indexed by the LDAP connector are public. There is no support for restricting access to the indexed records.

For More Security Information

For more information on authentication and authorization with connectors, see the chapters on "Crawl, Index, and Serve," "Use Cases with Public and Secure Serve for Multiple Authentication Mechanisms," and "Cookie-Based Authentication Scenarios" in Managing Search for Controlled-Access Content.


Logging Feed Record and Metadata Information to a Text File

You can log all URLs and metadata fed to a Google Search Appliance without recording all content. There are two ways to implement this logging technique.


Using the feedLoggingLevel Property

To use the feedLoggingLevel property to log URLs and metadata:

  1. Log on to the Apache Tomcat host with the user account under which Tomcat runs.
  2. Shut down the Tomcat instance that hosts the connector manager.
  3. Navigate to the webapps/connector-manager/WEB-INF/ directory.
  4. Open the applicationContext.properties file in a text editor.
  5. Set the feedLoggingLevel property to the value ALL:

    feedLoggingLevel=ALL

  6. Save the applicationContext.properties file.
  7. Restart Tomcat.

    The logging information is recorded in the $CATALINA_BASE/logs/google-connectors.feed%g.log files, where %g is a generation number used to distinguish among rotated logs.


Using a logging.properties Configuration File

To use a logging.properties configuration file to log URLs and metadata:

  1. Log on to the Apache Tomcat host with the user account under which Tomcat runs.
  2. Shut down the Tomcat instance that hosts the connector manager.
  3. Navigate to the logging.properties file.
    • If you installed the connector using the installer, the file is in the connector_directory/Tomcat/webapps/connector-manager/WEB-INF/classes/ directory.
    • If you installed the connector manually, navigate to the location where you created a logging.properties file. The logging.properties file is probably in the If not, copy the logging.properties file from the $JAVA_HOME/lib/ directory to the $CATALINA_HOME/webapps/connector-manager/WEB-INF/classes directory. You might have to create the /classes directory manually.
  4. Open the logging.properties file in a text editor.
  5. Add the following line to the file:

    com.google.enterprise.connector.pusher.DocPusher.FEED_WRAPPER.FEED.level=FINER

  6. Save the logging.properties file.
  7. Restart Tomcat.

    The logging information is recorded in connector_directory/Tomcat/logs/google-connectors.feed%g.log, where %g is a generation number used to distinguish among rotated logs.


Related Documentation

For more information on the connector manager, see Introducing Connectors. For release notes, see the connector open-source project site.

Was this helpful?
How can we improve it?