Table of Contents

Systems - AD: Groups synchronization

This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job).

This tutorial is for IdM 9 and 10. In version 11 you can use a wizard for groups synchronization configuration - wizard tutorial

You will learn

Before you start

Adding Active Directory connector

Since CzechIdM 9.2, the forked ConnId AD connector is bundled inside CzechIdM by default. You can use it out of hand.

System for managing AD users

Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups.

If you followed the tutorial for managing AD users, you have the necessary configuration of the AD users system mostly prepared. Specifically:

However, it's a common request to do initial loading of the group membership from AD. This topic will be covered later. FIXME synchronization of AD users with mapped distinguishedName to EAV of identity, so the groups synchronization workflow can resolve membership.

Automatic creation of automatic roles

The synchronization of AD groups can also create some automatic roles based on the position of the groups in AD. These are specific options of the groups synchronization workflow and it's not often used for typical setup. However, if you want to use it, make sure to create EAVs for IdmTreeNode, IdmIdentity and IdmIdentityContract, so this EAVs can be used to create automatic roles. IdmTreeNode for an automatic role by organization and the others for an automatic role by attributes.

Create system

Connector configuration

On this page fill in these important values:

When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=domain,DC=local), so the system schema can be correctly generated
In user provisioning system's configuration Base context of groups should be filled too, for correctly provisioning memberships
In user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and Strategy as "Merge".
If there are more than 10000 groups in AD and "Base contexts for group entry searches" is set for DC=AD,DC=FIRMA,DC=CZ(root OU). LDAP: error code 12 - 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION), data 0

workaround/solution: separate ldap search with "Base context for group entry searches" and divide it into smaller searches(each line with one OU):

  • OU=001OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
  • OU=002OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
  • OU=003OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
  • OU=004OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
  • OU=005OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz

Another way to solve this problem is by using "Custom group search filter" in the system configuration.

Connector's mapping

| Attribute in schema | Name               | Attribute          | IdM key            |
| __NAME__ (__GROUP__)| DN(__NAME__)       | extended           | distinguished_name |
| name (__GROUP__)    | name               | entity             | name               |
| name (__GROUP__)    | name-code          | entity             | code               |
| __UID__ (__GROUP__) | __UID__            | identifier         |   |

Synchronization of groups

At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try "ldapGroups" attribute.

If you synchronize groups with resolving users membership, the connector doesn't support groups with more than 1000 members (by default). If you need more, you must (temporarily) increase MaxPageSize in the AD configuration.

Editing groups in Active Directory

CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD, you need to link these edits with IDM. If you will don't follow correct steps, you will end with following error in provisioning of users with incorrectly edited AD group:

org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.NameNotFoundException:
[LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Groups,DC=test_company,DC=local'];
remaining name 'CN=My_test_group,OU=Groups,DC=test_company,DC=local'

This error means that CzechIdM can not find DistinguishedName set in assigned role for any group in Active Directory. This group could be renamed, moved or deleted. If you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished.

1) Rename or move group in Active Directory

Synchronization must be started after each time you rename a group or move group to another organization unit. Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue.

2) Delete group in Active Directory or move group from CzechIdM scope

If you want to delete role or move it from IDM scope:

If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisioning will not be successful.

You will recognize this situation by error mentioned in the note above and also if you will run synchronization of groups, in log of synchronization you will have some items in the state Missing account.

To correctly remove group and role:

If you will not perform last step and role was just moved from scope of IDM, because you want to manage this role without IDM → IDM will still remove group managed users!

Tips

CREATE NEW GROUP IN ACTIVE DIRECTORY

You can create a new security group in Active Directory with the Apache Directory Studio by following these steps:

  1. Select an existing group
  2. Right click on the group name → New → New entry
  3. Check the "Use existing entry as template" and click Next
  4. Object classes: Write "group" and click Add → group and top are added to "Selected object classes" → Next
  5. Distinguished Name: Set the value of RDN to your choice → Next
  6. A warning is displayed - click Cancel
  7. Set instanceType = 4
  8. Set sAMAccountName to your choice (right click → Edit values)
  9. Delete values (right click → Delete values) of these attributes:
    1. nTSecurityDescriptor
    2. objectCategory
    3. member (if you don't want to copy members)
    4. sAMAccountType

Finally, click Finish