Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:adm:systems:winrm_ad_connector [2021/09/02 12:54] kucerar |
devel:documentation:adm:systems:winrm_ad_connector [2023/11/08 13:46] (current) kotynekv [Configuration] wwarning |
||
---|---|---|---|
Line 51: | Line 51: | ||
It's better to run it in connector server instead of directly adding dependency to your application(IdM). The reason for this is simple - better security. You can choose user with some limited permissions which will be used as the owner of connector server and then give him access to run only the scripts which you want. | It's better to run it in connector server instead of directly adding dependency to your application(IdM). The reason for this is simple - better security. You can choose user with some limited permissions which will be used as the owner of connector server and then give him access to run only the scripts which you want. | ||
- | It supports basic, ntlm, kerberos and credssp authentication schema for WinRM | + | It supports basic, ntlm, kerberos and credssp authentication schema for WinRM. To use Kerberos, you need to have properly-configured ''/ |
It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right certificate which is used in WinRM listener on Win server. Store the crt to the on the machine where this connector is running and for: **WinRM < 1.0.5** | It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right certificate which is used in WinRM listener on Win server. Store the crt to the on the machine where this connector is running and for: **WinRM < 1.0.5** | ||
Line 65: | Line 65: | ||
**WinRM >= 1.0.5** | **WinRM >= 1.0.5** | ||
+ | |||
===== Schema generation ===== | ===== Schema generation ===== | ||
Line 151: | Line 152: | ||
We are using encoding otherwise you will have problem with diacritics in powershell when you want to encode the powershell script before sending it via WinRM. | We are using encoding otherwise you will have problem with diacritics in powershell when you want to encode the powershell script before sending it via WinRM. | ||
- | <note important> | + | <note important> |
< | < | ||
Line 164: | Line 165: | ||
For using WinRM part of this connector you need to install a few things which is needed, otherwise you can skip these steps. | For using WinRM part of this connector you need to install a few things which is needed, otherwise you can skip these steps. | ||
- | * Install python, tested versions are 2.7, 3.6 and 3.9 | + | * Install python, tested versions are 3.6 and 3.9 |
* Install pip for managing Python packages - for linux use package managers based on you distribution and install package python-pip. If you are using windows pip will be installed together with python if you use official installator. | * Install pip for managing Python packages - for linux use package managers based on you distribution and install package python-pip. If you are using windows pip will be installed together with python if you use official installator. | ||
* Install pywinrm and dependencies. You can follow official guide [[https:// | * Install pywinrm and dependencies. You can follow official guide [[https:// | ||
Line 175: | Line 176: | ||
#those only if you need them | #those only if you need them | ||
- | pip install --user pywinrm[kerberos] | + | pip install --user pywinrm[kerberos] |
pip install --user pywinrm[credssp] | pip install --user pywinrm[credssp] | ||
Line 262: | Line 263: | ||
=== Cross domain configuration === | === Cross domain configuration === | ||
+ | |||
+ | **<WRAP center round important 60%>\\ | ||
+ | Adding or removing too many groups at once is not supported. Lenght limitation of environment variable on Windows is 8 191 characters so if combination of all added and removed group' | ||
+ | </ | ||
IdM 11.2.0 has support for cross domain. You need connector version 1.0.7 | IdM 11.2.0 has support for cross domain. You need connector version 1.0.7 | ||
Line 272: | Line 277: | ||
Scripts can be found on [[https:// | Scripts can be found on [[https:// | ||
+ | |||
+ | === Send attributes only to WinRM === | ||
+ | |||
+ | In some cases, when you are using AD and WinRM for same operation, you want to use some attributes only in WinRM (powershell). | ||
+ | |||
+ | The reason is that is some attribute for script and AD has no clue about this attribute and the AD part will fail. | ||
+ | |||
+ | To achieve this, you can specify, which attributes should be send only to WinRM. | ||
+ | |||
+ | * Go to system detail - Configuration | ||
+ | * Go to tab Additional connector configuration | ||
+ | * Click on Manage attributes | ||
+ | * Add new attribute with code attributesForWinRM | ||
+ | * Attribute is Short text and multivalued | ||
+ | * Save it and go back to Additional connector configuration | ||
+ | * Fill attribute names which should be send only to WinRM | ||
+ | * Each name on it's own lane | ||
+ | * Names should be the ones which are in schema. | ||