Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:ad_groups_sync [2018/05/21 14:02] stloukalp [Workflow] |
tutorial:adm:ad_groups_sync [2019/08/22 20:22] apeterova tips |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Systems - AD: Groups synchronization ====== | ||
+ | |||
+ | This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job). | ||
+ | |||
+ | You will learn | ||
+ | * how to connect an AD system for groups synchronization | ||
+ | * how to use a groups sync workflow | ||
+ | * how to prepare users to be able to assign them IdM roles by their AD groups | ||
+ | |||
+ | ===== Before you start ===== | ||
+ | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
+ | Then add the jar file into the CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
+ | |||
+ | <note tip>To preserve the connector during future upgrades of CzechIdM core, put the connector in e.g. / | ||
+ | < | ||
+ | ln -s / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | ||
+ | |||
+ | |||
+ | Then with tutorial [[.eav|]], you should create EAVs for IdmTreeNode, | ||
+ | |||
+ | |||
+ | ===== Create system ===== | ||
+ | |||
+ | * Go to **Systems** in the left menu and then click on **Add**. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * Fill in name of a system. And click on **Save and continue**. | ||
+ | * In tab **Configuration** choose AD connector (net.tirasa.connid.bundles.ad.ADConnector) | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Connector configuration ===== | ||
+ | On this page fill in these important values: | ||
+ | * **Server hostname** - IP address of ad server or hostname | ||
+ | * **Server port** - on this port will server listen | ||
+ | * **Principal** - with this username connector will connect to the AD system, this user has to have enough rights to reads groups | ||
+ | * **Principal password** - password of the " | ||
+ | * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | ||
+ | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. | ||
+ | * **Group search scope** - Choose object, onlevel or subtree. It means where it will search for groups. As a **subtree**, | ||
+ | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | ||
+ | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | ||
+ | * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | ||
+ | * **useVlvControls** - have to be enabled - this is only supported option | ||
+ | * **pageSize** - number, it should be greater than a count of all groups on AD. | ||
+ | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended is sAMAccountName. | ||
+ | * **Uid Attribute for groups** - unique identifier, recommended is sAMAccountName or objectGUID. | ||
+ | * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | ||
+ | |||
+ | ===== Connector' | ||
+ | * Firstly in **Scheme** tab generate a schema with a green button. If there is some exception, you have probably mistake in the configuration of the connector. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * Then in **Mapping** tab create new mapping - synchronization (\_\_GROUP\_\_ (Object name), Role (Entity type)). | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * Now we will map just 3 attributes. Click on green add button like on picture below and this fill in: | ||
+ | |||
+ | < | ||
+ | | Attribute in schema | Name | Attribute | ||
+ | | __Name__ (__GROUP__)| Distinguished name | extended | ||
+ | | name (__GROUP__) | ||
+ | | __UID__ (__GROUP__) | __UID__ | ||
+ | </ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * In **Synchronization** tab create new synchronization. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * Enable **Allowed** and **Reconcillation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** as ' | ||
+ | * Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account). | ||
+ | * **Linked** - it's like update, group is in the AD and also in IdM, but it is possible in the AD could be some change, so usually **Action** is " | ||
+ | * **Not Linked** - this means the group is in the AD and also in IdM, but in IdM was not created by synchronization, | ||
+ | * **Missing entity** - in other words - create action - group is in the AD, but in IdM it is not. It could be newly created in the AD, so it is not yet in IdM or it could be already erased in IdM. But this situation only supports " | ||
+ | * **Missing account** - or " | ||
+ | * In each of these possibilities there is a select box " | ||
+ | |||
+ | {{ : | ||
+ | {{ : | ||
+ | |||
+ | ===== Synchronization ===== | ||
+ | At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | ||
+ | <note tip> In user provisioning system' | ||
+ | <note tip> In user provisioning system' | ||
+ | |||
+ | |||
+ | ===== Tips ===== | ||
+ | |||
+ | You can create a new security group in Active Directory with the Apache Directory Studio by following these steps: | ||
+ | |||
+ | - Select an existing group | ||
+ | - Right click on the group name -> New -> New entry | ||
+ | - Check the "Use existing entry as template" | ||
+ | - Object classes: Write " | ||
+ | - Distinguished Name: Set the value of RDN to your choice -> Next | ||
+ | - A warning is displayed - click Cancel | ||
+ | - Set instanceType = 4 | ||
+ | - Set sAMAccountName to your choice (right click -> Edit values) | ||
+ | - Delete values (right click -> Delete values) of these attributes: | ||
+ | - nTSecurityDescriptor | ||
+ | - objectCategory | ||
+ | - member (if you don't want to copy members) | ||
+ | - sAMAccountType | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Finally, click Finish | ||
+ | |||