====== Systems - LDAP: Manage users ======
===== Introduction =====
This tutorial will guide you through connecting LDAP as a target system for user management within CzechIdM. We will utilize the default LDAP connector provided by ConnId.

===== Basic configuration =====
Navigate to the **Systems** section from the main menu. Use the **Add** button above the list of current systems. On the first page, simply enter the system name. If your default password policy does not meet your LDAP configuration requirements, you may need to configure a new password policy here.

===== Connector configuration =====
In the next step, switch to the **Configuration** menu of your new system. First, select the connector, which in this case is the **LDAP connector**. This will open the specific configuration for this connector.  
Thereafter, fill in the important fields.

//Example configuration for our local LDAP:// TODO  

<note important>
Enable **Use VLV Controls** and set the **VLV Sort Attribute** to the same value as the **Uid Attribute**. Otherwise, account searches may not function correctly in the current version of the LDAP connector (the first result is skipped due to a bug).
</note>

==== Base Contexts ====
The **Base Contexts** property contains one or more starting points in the LDAP directory tree used for searches.  
When running synchronization in reconciliation mode, the connector initiates a search for every value in the Base Context separately. The search uses paging, meaning entries are processed in blocks of (by default) 100 records according to the configured (VLV) sort. Be cautious if you have multiple values in the Base Contexts and you **modify distinguished names** of entries **during reconciliation**. If entries are moved to a different base, other entries may be omitted due to paging and fall into the **Missing account** state. Try to avoid this use case at all.

===== Scheme =====
Proceed to the **Scheme** menu on your system.  
You can let CzechIdM generate the scheme for you by clicking the **Generate scheme** button.  
<note>
Generating a scheme typically marks most attributes as **multivalued** (even for e.g. givenName, sn, cn). This may be acceptable, but could complicate things if you intend to populate these attributes from EAVs and transform them - [[https://redmine.czechidm.com/issues/2452|see more]].  
Make sure to verify what was generated.
</note>  
If you prefer to configure everything manually:  
   * Use the **Add** button to create a new scheme. For users, name it ''%%__ACCOUNT__%%'', as this is a ConnId constant.  
   * Add all file columns you want to work with. Use the ConnId constant ''%%__NAME__%%'' for your identifier column.  
   * Set all attributes as **Able to read**.  
//Example scheme:// TODO  
<note tip>
The **uid** attribute must have the following checkboxes enabled: **Able to read**, **Able to create**, and **Returned by default**. The **Able to create** checkbox is crucial if you manage posixGroups. The LDAP connector requires the **uid** attribute during creation if **posixGroups** is also set. Otherwise, it throws an error: ''Cannot add entry "uid=john.doe,ou=people,o=domain,c=tld" to POSIX groups because it does not have a "uid" attribute''.
On the other hand, the **Able to edit** checkbox must not be enabled if **uid** is part of the distinguishedName. Otherwise, changing **uid** will result in an error: ''javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN]''.
</note>

===== Mapping =====
Navigate to the **Mapping** menu. Here, you must define how data from LDAP will be promoted to CzechIdM.  
First, set:  
  * **Operation type:** Provisioning  
  * **Object name:** ''%%__ACCOUNT__%%''
  * **Entity type:** Identity  
   * Set the **Mapping name** to whatever you prefer, e.g., "Provisioning of users".  
Then map all columns as entity attributes as shown in the example below. Ensure that ''%%__NAME__%%'' is set as the identifier.

//Example attribute mapping://  TODO

<note tip>
The distinguished name should be mapped in the ''%%__NAME__%%'' attribute. If the DN contains CN (common name - a typical setting), do not map the **cn** attribute again. The CN is already populated by the DN, and mapping it again may cause LDAP to reject changes with the error: ''LDAP: error code 67 - Not Allowed On RDN''.
</note>

===== Provisioning =====
Finally, go to the **Provisioning** menu and add a new provisioning. Set its **Name** and these fields:  
  * **Allowed:** true  
  * **Set of mapped attributes:** Select the mapping from the previous step.  
  * **Correlation attribute:** ''%%__NAME__%%''
You can leave the rest of the configuration at default values.

//Example provisioning results:// TODO

===== Create LDAP role in IdM =====
To provision an account to LDAP, you must create a role for the system with LDAP provisioning mapping.  
  * Create a role, e.g., "LDAP - user", and save it.  
  * Go to the **System** tab on the role detail page and add the LDAP system created in this tutorial, then save.  
To provision a user to LDAP, assign them the role "LDAP - user". The provisioning will occur immediately upon role assignment. You can check the provisioning status at the user profile detail under the **Provisioning** tab.