{toc}
h2. About Crawling Windows Shares with Access Control Lists
LucidWorks Enterprise can crawl Windows shares and the Access Control Lists (ACLs) associated with shared files and directories. You can use this ACL information to limit users' searches to the content they are permitted to access.
The following model is implemented as a search filtering component by default:
|| Group READ Access || Subgroup READ Access || User READ Access || Search Result Returned? ||
| o (permit) | o | o | o |
| o | × (deny) | o | × |
| o | o | × | × |
| o | × | × | x |
| × | o | o | × |
| × | × | o | × |
| × | o | × | × |
| × | × | × | × |
| o | \- (not set) | o | o |
| o | o | \- | o |
| o | \- | \- | o |
| \- | o | o | o |
| \- | \- | o | o |
| \- | o | \- | o |
| \- | \- | \- | × |
To understand this table, read the rows left to right. For example, in the first row, we see that the user's main group, subgroup, and individual permissions all allow READ access to a shared resource, so the search result is returned. In the second row, we see that the user's main group and user's individual permissions allow READ access, but the user's subgroup's permissions do not, so no search result is returned to the user.
h2. Additional System Requirements
h3. Operating System
* Microsoft Windows Server 2003
* Microsoft Windows Server 2008
h3. Microsoft Windows Active Directory
Active Directory is required for getting the user and group data.
h3. Network Connections
Connections from LucidWorks Enterprise to the host sharing the directory:
* Server Message Block (SMB)
** TCP Port 445
** UDP Port 445
Connections from LucidWorks Enterprise to the host running Active Directory
* Lightweight Directory Access Protocol (LDAP)
** TCP Port 389
For information on setting up LDAP in LucidWorks Enterprise for use with Windows Active Directory, see [LDAP Integration|lweug18:LDAP Integration]
h3. Other Requirements
* Credentials with READ and ACL READ permissions for accessing the Windows share. We recommend that you create a special user for this purpose.
* Credentials with read-only access to the Active Directory LDAP. This is used for search-time filtering, and we recommend that you create a special user for this purpose.
h2. How To Set Up and Crawl an SMB Data Source with ACLs
# [Create an SMB data source|lweug18:Windows Share (SMB) Data Source]. LucidWorks Enterprise (LWE) crawls in a recursive fashion, so you only need to provide a starting URL and the credentials required to access the share. LWE crawls SMB data sources with the filesystem crawler, so all of the features of the filesystem crawler are available, including {{include_paths}}, {{exclude_paths}}, {{crawl_depth}}, {{max_size}}. You can specify these features in the data source configuration.
# [Configure the ACL Filtering component|lweug18:Access Control List Configuration].
\\
\\
{info}
Configuration of ACL is also possible using the [lweug18:Filtering] and Search Handler Component APIs.
{info}
\\
# Crawl the new SMB data source.
h2. About Crawling Windows Shares with Access Control Lists
LucidWorks Enterprise can crawl Windows shares and the Access Control Lists (ACLs) associated with shared files and directories. You can use this ACL information to limit users' searches to the content they are permitted to access.
The following model is implemented as a search filtering component by default:
|| Group READ Access || Subgroup READ Access || User READ Access || Search Result Returned? ||
| o (permit) | o | o | o |
| o | × (deny) | o | × |
| o | o | × | × |
| o | × | × | x |
| × | o | o | × |
| × | × | o | × |
| × | o | × | × |
| × | × | × | × |
| o | \- (not set) | o | o |
| o | o | \- | o |
| o | \- | \- | o |
| \- | o | o | o |
| \- | \- | o | o |
| \- | o | \- | o |
| \- | \- | \- | × |
To understand this table, read the rows left to right. For example, in the first row, we see that the user's main group, subgroup, and individual permissions all allow READ access to a shared resource, so the search result is returned. In the second row, we see that the user's main group and user's individual permissions allow READ access, but the user's subgroup's permissions do not, so no search result is returned to the user.
h2. Additional System Requirements
h3. Operating System
* Microsoft Windows Server 2003
* Microsoft Windows Server 2008
h3. Microsoft Windows Active Directory
Active Directory is required for getting the user and group data.
h3. Network Connections
Connections from LucidWorks Enterprise to the host sharing the directory:
* Server Message Block (SMB)
** TCP Port 445
** UDP Port 445
Connections from LucidWorks Enterprise to the host running Active Directory
* Lightweight Directory Access Protocol (LDAP)
** TCP Port 389
For information on setting up LDAP in LucidWorks Enterprise for use with Windows Active Directory, see [LDAP Integration|lweug18:LDAP Integration]
h3. Other Requirements
* Credentials with READ and ACL READ permissions for accessing the Windows share. We recommend that you create a special user for this purpose.
* Credentials with read-only access to the Active Directory LDAP. This is used for search-time filtering, and we recommend that you create a special user for this purpose.
h2. How To Set Up and Crawl an SMB Data Source with ACLs
# [Create an SMB data source|lweug18:Windows Share (SMB) Data Source]. LucidWorks Enterprise (LWE) crawls in a recursive fashion, so you only need to provide a starting URL and the credentials required to access the share. LWE crawls SMB data sources with the filesystem crawler, so all of the features of the filesystem crawler are available, including {{include_paths}}, {{exclude_paths}}, {{crawl_depth}}, {{max_size}}. You can specify these features in the data source configuration.
# [Configure the ACL Filtering component|lweug18:Access Control List Configuration].
\\
\\
{info}
Configuration of ACL is also possible using the [lweug18:Filtering] and Search Handler Component APIs.
{info}
\\
# Crawl the new SMB data source.