This manual describes how to manage OUs in AD based on Organizational structure in CzechIdM. Following guide creates system to create/delete/modify OUs in AD based on changes on Organizational structure in CzechIdM.
This guide expects that you have already connected AD for managing Users and by that general issues with connection and certificates are properly handled - reference tutorial for conencting AD for users with Wizard for more information.
By this you have established basic settings.
By this you have established basic mapping which will need to be filled with attributes.
Attributes might differ based on project, following are only example and need to be verified by checking what are key parameters on your project.
By this you have established main attributes. This will apply for all entities in organizational structure in CzechIdM - in most cases you need to restrict it based on following step.
You will most probably need to restrict, what entities from organizational structure should be created in AD: To do so, in details of mapping you go to list Account management.
Following simple script blocks creating for two specific nodes “Contractors” and “Employees” and allow it for any other. You need to modify it for your usecase.
if (entity.getCode().equals("Contractors")) { return Boolean.FALSE } if (entity.getCode().equals("Employees")) { return Boolean.FALSE } return Boolean.TRUE
By this you have established mapping for provisioning.
You might get to the usecase that creation and deletion of OU will work, but modification will fail. Most common reason is that some of the attributes need to be filled during creation, but they are automatically updated on AD side during update and CzechIdM attempt to update it as well - which cause collision of this two processes and ends in the error.
In such case, go to Scheme - Account and find the attributes you use in mapping. For that attribute, unselect Able to edit. Attribute ou mapped above is example of the attribute which might be autoupdated based on change of DN.