Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:ad_groups_sync [2019/08/22 16:26] apeterova group search filter |
tutorial:adm:ad_groups_sync [2021/03/04 11:02] apeterova typos |
||
---|---|---|---|
Line 42: | Line 42: | ||
* **Principal password** - password of the " | * **Principal password** - password of the " | ||
* **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | ||
- | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. | + | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. |
- | * **Group search scope** - Choose | + | * **Group search scope** - Default subtree. Options: |
- | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | + | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' |
* **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | ||
* **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | ||
* **useVlvControls** - have to be enabled - this is only supported option | * **useVlvControls** - have to be enabled - this is only supported option | ||
- | * **pageSize** - number, it should be greater | + | * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: |
- | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended is sAMAccountName. | + | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended |
- | * **Uid Attribute for groups** - unique identifier, recommended is sAMAccountName or objectGUID. | + | * **Uid Attribute for groups** - unique identifier, recommended is objectGUID. |
* **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note tip> In user provisioning system' | ||
+ | <note tip> In user provisioning system' | ||
+ | <note warning> | ||
+ | If there are more than 10000 groups in AD and "Base contexts for group entry searches" | ||
+ | LDAP: error code 12 - 000020EF: SvcErr: DSID-03140552, | ||
+ | |||
+ | workaround/ | ||
+ | * OU=001OU, | ||
+ | * OU=002OU, | ||
+ | * OU=003OU, | ||
+ | * OU=004OU, | ||
+ | * OU=005OU, | ||
+ | |||
+ | Another way to solve this problem is by using " | ||
+ | </ | ||
+ | |||
===== Connector' | ===== Connector' | ||
Line 62: | Line 81: | ||
{{ : | {{ : | ||
- | * Now we will map just 3 attributes. Click on green add button like on picture below and this fill in: | + | * Now we will map just 4 attributes. Click on green add button like on picture below and this fill in: |
< | < | ||
| Attribute in schema | Name | Attribute | | Attribute in schema | Name | Attribute | ||
| __Name__ (__GROUP__)| Distinguished name | extended | | __Name__ (__GROUP__)| Distinguished name | extended | ||
- | | name (__GROUP__) | + | | name (__GROUP__) |
- | | __UID__ (__GROUP__) | __UID__ | + | | code (__GROUP__) |
+ | | __UID__ (__GROUP__) | __UID__ | ||
</ | </ | ||
Line 77: | Line 97: | ||
{{ : | {{ : | ||
- | * Enable **Allowed** and **Reconcillation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** as ' | + | * Enable **Allowed** and **Reconcilation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** as ' |
* Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account). | * Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account). | ||
* **Linked** - it's like update, group is in the AD and also in IdM, but it is possible in the AD could be some change, so usually **Action** is " | * **Linked** - it's like update, group is in the AD and also in IdM, but it is possible in the AD could be some change, so usually **Action** is " | ||
Line 88: | Line 108: | ||
{{ : | {{ : | ||
- | ===== Synchronization ===== | + | ===== Synchronization |
At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | ||
- | <note tip> | + | |
- | < | + | <note tip>If you synchronize groups with resolving users membership, the connector doesn't support groups with more than 1000 members (by default). If you need more, you must (temporarily) increase MaxPageSize in the AD configuration.</ |
+ | |||
+ | ==== Editing groups in Active Directory ==== | ||
+ | CzechIdM managing membership | ||
+ | If you will don't follow correct steps, you will end with following error in provisioning | ||
+ | |||
+ | < | ||
+ | <code> | ||
+ | org.identityconnectors.framework.common.exceptions.ConnectorException: | ||
+ | [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, | ||
+ | remaining name ' | ||
+ | </ | ||
+ | This error means that CzechIdM can not find DistinguishedName set in assigned role for any group in Active Directory. | ||
+ | This group could be renamed, moved or deleted. | ||
+ | If you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished. | ||
+ | </note> | ||
+ | |||
+ | |||
+ | ==== 1) Rename or move group in Active Directory ==== | ||
+ | Synchronization must be started after each time you **rename** a group or **move** group to another organization unit. | ||
+ | Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning | ||
+ | |||
+ | ==== 2) Delete group in Active Directory or move group from CzechIdM scope ==== | ||
+ | |||
+ | |||
+ | If you want to delete role or move it from IDM scope: | ||
+ | * Make sure that no users have assigned role for this group and that the role is not used as automatic role. | ||
+ | * Then you can remove group from AD and **remove role from managed attributes**. | ||
+ | |||
+ | If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisioning will not be successful. | ||
+ | |||
+ | You will recognize this situation by error mentioned in the note above and also if you will run synchronization of groups, in log of synchronization you will have some items in the state **Missing account**. | ||
+ | |||
+ | **To correctly remove group and role:** | ||
+ | * Open synchronization item with **Missing account** state and copy **Entity ID** from item. In most cases ID is ObjectGUID of the group. | ||
+ | * Go to **Account on system** on system for Groups | ||
+ | * Make sure that you remove this role from all users. | ||
+ | * Remove the role from IDM. | ||
+ | * Remove group from AD. | ||
+ | * Go to system for AD User -> Attributes | ||
+ | |||
+ | <note warning> | ||
+ | If you will not perform last step and role was just moved from scope of IDM, because you want to manage this role without IDM -> **IDM will still remove group managed users!** | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Tips ===== | ||
+ | |||
+ | ==== CREATE NEW GROUP IN ACTIVE DIRECTORY ==== | ||
+ | |||
+ | You can create a new security group in Active Directory with the Apache Directory Studio by following these steps: | ||
+ | |||
+ | - Select an existing group | ||
+ | - Right click on the group name -> New -> New entry | ||
+ | - Check the "Use existing entry as template" | ||
+ | - Object classes: Write " | ||
+ | - Distinguished Name: Set the value of RDN to your choice -> Next | ||
+ | - A warning is displayed - click Cancel | ||
+ | - Set instanceType = 4 | ||
+ | - Set sAMAccountName to your choice (right click -> Edit values) | ||
+ | - Delete values (right click -> Delete values) of these attributes: | ||
+ | - nTSecurityDescriptor | ||
+ | - objectCategory | ||
+ | - member (if you don't want to copy members) | ||
+ | - sAMAccountType | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Finally, click Finish | ||
+ |