This page is also available in versions: 9.7 (current)


This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
devel:documentation:systems:dev:winrm_ad_connector [2019/06/13 06:39]
kucerar infos, schema, config
— (current)
Line 1: Line 1:
-====== WinRM + AD Connector ====== 
-This connector is combining [[devel:​documentation:​systems:​dev:​winrm_connector|WinRM]] and [[https://​​wiki/​spaces/​BASE/​pages/​360482/​Active+Directory+JNDI|AD connector]] into one. The main advantage of this is you can execute operation by AD connector or by WinRM connector or with both together in specified order. 
-Recommended way of using this is same as if you use only WinRM. That's mean use it in connector server, you need to install pywinrm, ... 
-Typical use cases for this combined connector are: 
-  * Management of home directories - User is created via AD connector and home directory is created by WinRM Connector (powershell) 
-  * Management of o365 
-  * Management of Exchange 
-  * Management of OpenLims via special client which is on the windows servers and is executed from powershelll 
-  * Basically you use this to connect to system which can be controlled via powershell and is dependent on AD.  
-{{ :​devel:​documentation:​systems:​dev:​winrm_ad_schema.png?​nolink |}} 
-When you use this connector then in IdM you will has only one system and every user who is managed via this system will have only one account. For example if you want to manage home directories together with AD then user will have only one account and so when you create user, directory will be created to.  
-Theoretically you can use WinRM connector for home directories and AD connector for user management separately. You will have two system in IdM and user will have two accounts. But then you will have no control over the order of execution. And when you need to set some ACL permissions to the home directory the user must be created before. 
-When you want to execute some operation via both connectors and the first connector execution will failed then the execution by the second connector is not executed. You will see error in provisioning in IdM. 
-In case where the second execution will fail you will see error in IdM again. Then when retry provisioning will kick in, IdM perform search to the end system again that mean if you want for example assign role in AD to user and then execute powershell for Exchange and the powershell execution will fail for some reason. Retry provisioning will know that the role is already assigned so nothing will happen via AD connector and only powershell will be executed. 
-===== Configuration ===== 
-In configuration you have the option to configure AD connector and WinRM connector. 
-So follow [[devel:​documentation:​systems:​dev:​winrm_connector|WinRM]] and [[tutorial:​adm:​manage_ad#​connector_configuration|AD]] configuration.  ​ 
-Then there are some other options which can be configured. You can configure which connector will be used for which operation. 
-For example you can use AD + WinRM for create and only WinRM for delete, etc. 
-{{ :​devel:​documentation:​systems:​dev:​winrm_ad_config.png?​nolink&​400 |}} 
-You can configure the order of connectors. Default behavior is that AD connector is first. 
-{{ :​devel:​documentation:​systems:​dev:​winrm_ad_order.png?​nolink&​400 |}}